Beginner FriendlyFoundryNFT
100 EXP
View results
Submission Details
Severity: high
Valid

Weak Source of Randomness Used in `ChoosingRam::increaseValuesOfParticipants` Can Be Influenced by Malicious Validator for a Competitive Edge

Summary

The random value used during ChoosingRam::increaseValuesOfParticipants can be influenced by a malicious validator, which can be abused to guarantee a specific NFT is upgraded.

Vulnerability Details

ChoosingRam::increaseValuesOfParticipants determines the random value by hashing block attributes (block.timestamp and block.prevrandao) and the msg.sender. Of these values, two are known beforehand (block.prevrandao and msg.sender) and the final value block.timestamp can be influenced by validators.

Impact

A block's block.timestamp can be influenced by a malicious validator, resulting in a random value that is not truly random. This can be abused to guarantee a specific NFT is chosen to have its attributes upgraded.

Tools Used

Manual Review

Recommendations

Use a better source of randomness, such as Chainlink VRF.

Updates

Lead Judging Commences

bube Lead Judge
about 1 year ago
bube Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Weak randomness in `ChoosingRam::increaseValuesOfParticipants`

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.