Summary

There is a vulnerability in the smart contract ChoosingRam, for function increaseValuesOfParticipants which relays on insecure randomness generation methods. by using block.timestamp and block.prevrandao for randomness, which can manipulated by malicious actors. This vulnerability could lead to unfair outcomes in the selection process facilitated by the contract.

Vulnerability Details

The specific values of block.timestamp and block.prevrandao at the time of contract execution will determine the exact outcome of the random value. Since both values can vary and are influenced by factors such as block creation time and previous block randomness, the resulting random value can theoretically be either 0 or 1, depending on the specific combination and interaction of these factors at the time of execution.

So the contract utilizes block.timestamp and block.prevrandao as sources of randomness. However, these values are publicly accessible and can be manipulated. as malicious actors can influence block.timestamp, while the predictability of block.prevrandao poses a risk of exploitation.

Impact

the impact of relying on insecure randomness generation methods, such as block.timestamp and block.prevrandao, and constraining the outcome to 0 or 1, is the compromise of fairness, integrity, trust, and financial stability of the contract and the associated decentralized application.

Tools Used

Manual review

Recommendations

Integrate with an external randomness source that provides unpredictable and tamper-resistant random values. Trusted oracle services, such as Chainlink VRF