In the ERC20Incentive contract, there are two types of strategies POOL and RAFFLE. Based on this if the strategy of the contract is RAFFLE, there is random generation at the end of the raffle. But the random winner generation is pseudo random.
Vulnerability Detail
In the current implementation of the RAFFLE, the protocol is using for random generation the library LibPRNG, which is a pseudo random generates numbers. Let's dive deep into how it works:
So the LibPRNG will use the block.prevrandao + block.timestamp to generate pseudo random values. Where the block.timestamp can be easily manipulated by the validator. And the block.prevrandao it's not completely unpredictable and should not be relied upon for high-stakes randomness (such as raffles), since validators could potentially manipulate the result by withholding blocks.
And the underlying functions that calculates the random value is
uint(keccak256(abi.encodePacked(block.prevrandao, block.timestamp)));
Use the Chainlink VRF which enables smart contracts to access random values without compromising security or usability. For each request, Chainlink VRF generates one or more random values and cryptographic proof of how those values were determined.
0x539.eth
Medium
Random Generation Can Be Manipulated
Summary
In the
ERC20Incentivecontract, there are two types of strategies POOL and RAFFLE. Based on this if the strategy of the contract is RAFFLE, there is random generation at the end of the raffle. But the random winner generation is pseudo random.Vulnerability Detail
In the current implementation of the RAFFLE, the protocol is using for random generation the library LibPRNG, which is a pseudo random generates numbers. Let's dive deep into how it works:
LibPRNG.PRNG memory _prng = LibPRNG.PRNG({state: block.prevrandao + block.timestamp});So the LibPRNG will use the block.prevrandao + block.timestamp to generate pseudo random values. Where the block.timestamp can be easily manipulated by the validator. And the block.prevrandao it's not completely unpredictable and should not be relied upon for high-stakes randomness (such as raffles), since validators could potentially manipulate the result by withholding blocks.
And the underlying functions that calculates the random value is
uint(keccak256(abi.encodePacked(block.prevrandao, block.timestamp)));https://github.com/sherlock-audit/2024-06-boost-aa-wallet/blob/main/boost-protocol/packages/evm/contracts/incentives/ERC20Incentive.sol#L16
Impact
A malicious minter/validator can manipulate the raffle winner.
Code Snippet
Tool used
Manual Review
Recommendation
Use the Chainlink VRF which enables smart contracts to access random values without compromising security or usability. For each request, Chainlink VRF generates one or more random values and cryptographic proof of how those values were determined.