Weak source of randomness in `ChoosingRam::selectRamIfNotSelected` function can lead to unfair selection of Ram.
Summary
The ChoosingRam::selectRamIfNotSelected function uses a weak source of randomness derived from block.timestamp and block.prevrandao to select the Ram. This method is susceptible to miner manipulation, allowing potentially unfair advantages in selecting the Ram.
Vulnerability Details
ChoosingRam::selectRamIfNotSelected function allows to select Ram. Winner is being determined by random number which represent token id of selected Ram.
Problem arises because random number is being generated by values that could be manipulated by miner: block.timestamp, block.prevrandao. It means that selected Ram can be manipulated which is unfair advantage. Only organiser can call this function but still it opens the way for miners to manipulate selected Ram they want.
Impact
Randomness is weak, malicious miner (or organiser) can potentially select specific Ram for winner, gaining strong advantage over other participants.
Tools Used
Manual review
Recommendations
Recommendation is to use Chainlink VRF to generate random numbers.
Lead Judging Commences
Weak randomness in `ChoosingRam::selectRamIfNotSelected`
The organizer is trusted, but the function `ChoosingRam::selectRamIfNotSelected` uses a way to generate a random number that is not completely random.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.