I think there is problem with that RNGLottery contract. If I am an attacker, I can have 3 addresses and buy 3 different lottery tickets. During the reveal phase I can influence the 'seed' calculation by choosing which one of my 3 commitments I want to reveal (and hence influence make myself the winner). Maybe I chose not to reveal 1 of my commitments, so one of my 2 other tickets can win.
If I buy n lottery tickets and I also observer the node's transaction pool (in order to decide which of the n commitments to reveal), then I will have 2n-1 ways to manipulate the final seed value and still have at least 1 valid lottery ticket. That is a much higher chance than someone buying n tickets and not trying to manipulate the seed value.
To carry out this attack I would either have to:
be able to send my carefully selected commitments at the last block of the reveal phase and also be able to predict which other reveals from other players will be included in the last block or
mine the block myself and decide which reveal transactions go into the block
Although attack number 2 is hard to carry out, number 1 seems easy enough. Most mining clients order transactions in the block deterministically, so as long as I can predict which other reveal transactions from other players end up in the last block of the reveal phase, I would be able to manipulate the seed value.
I think there is problem with that RNGLottery contract. If I am an attacker, I can have 3 addresses and buy 3 different lottery tickets. During the reveal phase I can influence the 'seed' calculation by choosing which one of my 3 commitments I want to reveal (and hence influence make myself the winner). Maybe I chose not to reveal 1 of my commitments, so one of my 2 other tickets can win.
If I buy n lottery tickets and I also observer the node's transaction pool (in order to decide which of the n commitments to reveal), then I will have 2n-1 ways to manipulate the final seed value and still have at least 1 valid lottery ticket. That is a much higher chance than someone buying n tickets and not trying to manipulate the seed value.
To carry out this attack I would either have to:
Although attack number 2 is hard to carry out, number 1 seems easy enough. Most mining clients order transactions in the block deterministically, so as long as I can predict which other reveal transactions from other players end up in the last block of the reveal phase, I would be able to manipulate the seed value.