The random
value used during ChoosingRam::increaseValuesOfParticipants
can be influenced by a malicious validator, which can be abused to guarantee a specific NFT is upgraded.
ChoosingRam::increaseValuesOfParticipants
determines the random
value by hashing block attributes (block.timestamp
and block.prevrandao
) and the msg.sender
. Of these values, two are known beforehand (block.prevrandao
and msg.sender
) and the final value block.timestamp
can be influenced by validators.
A block's block.timestamp
can be influenced by a malicious validator, resulting in a random
value that is not truly random. This can be abused to guarantee a specific NFT is chosen to have its attributes upgraded.
Manual Review
Use a better source of randomness, such as Chainlink VRF.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.