Unsecure and predictable random number generation in closeDraw.winningRandomNumber_() can lead to external influence by malicious attackers. Leading to undermining of the fairness and security and unpredictability of the draw function. Both the timestamp and the block hash can be influenced by miners to some degree.
Do not use block.timestamp as a source of randomness, instead use various multiple time sources and external consensus mechanisms. The current block timestamp must be strictly larger than the timestamp of the last block, but the only guarantee is that it will be somewhere between the timestamps of two consecutive blocks in the canonical chain.
Lines of code
https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L348-#L387
Vulnerability details
Impact
Unsecure and predictable random number generation in closeDraw.winningRandomNumber_() can lead to external influence by malicious attackers. Leading to undermining of the fairness and security and unpredictability of the draw function. Both the timestamp and the block hash can be influenced by miners to some degree.
Proof of Concept
File: PrizePool.sol Code Link: https://github.com/GenerationSoftware/pt-v5-prize-pool/blob/4bc8a12b857856828c018510b5500d722b79ca3a/src/PrizePool.sol#L348C3-L387C1 Code: function closeDraw(uint256 winningRandomNumber) external onlyDrawManager returns (uint16) { // check winning random number if (winningRandomNumber == 0) { revert RandomNumberIsZero(); } if (block.timestamp < _openDrawEndsAt()) { revert DrawNotFinished(_openDrawEndsAt(), uint64(block.timestamp)); }
}
Tools Used
Manual Review
Recommended Mitigation Steps
Do not use block.timestamp as a source of randomness, instead use various multiple time sources and external consensus mechanisms. The current block timestamp must be strictly larger than the timestamp of the last block, but the only guarantee is that it will be somewhere between the timestamps of two consecutive blocks in the canonical chain.
Assessed type
Timing