A malicious randon source con frontrun calls to swapSource and prevent protocol owners from changing the random source by frontrunning the call with a transaction to onRandomNumberFulfilled which effectively resets the failedSequentialAttempts to zero, making the original call to swapSource revert.
This process can be repeated any number of times, eventually leading to a DoS and the impossibility of changing the random source.
- Source timeouts and doesn't return request response, retry is called until
failedSequentialAttempts == maxFailedAttempts. - Protocol owners call
swapSourceto change the random source of the contract - Current random source frontruns the call with a call to
onRandomNumberFulfilledwhich resets thefailedSequentialAttemptsback to 0. - Original transaction from (2) gets reverted as
failedSequentialAttemptsis now less thanmaxFailedAttempts.
In case of maxFailedAttempts enter a more robust "pause" state that lets protocol owners deal better with the current situation.