First Flight #2: Puppy Raffle
First Flight #2
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Weak Randomness allows malicious users to win in unfair manner

sandman

Summary

This PoC highlights the critical vulnerability in the "PuppyRaffle" contract due to its reliance on weak randomness generation, which enables an attacker to predict and manipulate the outcome of the raffle.
There is also weak randomness in the logic to select rarity of NFT such that they can win the rarest of items.

Vulnerability Details

The "PuppyRaffle" contract utilizes a weak source of randomness based on keccak256 with easily predictable inputs, including msg.sender, block.timestamp, and block.difficulty. This predictable randomness generation mechanism allows an attacker to influence the selection of the raffle winner.

uint256 winnerIndex = uint256(
keccak256(
abi.encodePacked(msg.sender, block.timestamp, block.difficulty)
)
) % players.length;
uint256 rarity = uint256(
keccak256(abi.encodePacked(msg.sender, block.difficulty))
) % 100;

Impact

The consequence of weak randomness is that malicious actors can repeatedly exploit the raffle by predicting the outcome. This compromises the fairness of the raffle, negatively impacting honest participants and potentially causing financial losses.

Tools Used

VSCode

Recommendations

To address this vulnerability, it is strongly advised to implement secure randomness generation using trusted external oracles, such as Chainlink VRF (Verifiable Random Function), or other reputable sources of randomness. Secure randomness generation is crucial to ensure the integrity and fairness of the raffle.

Updates

Lead Judging Commences

Hamiltonite Lead Judge about 2 years ago
Submission Judgement Published
Validated
Assigned finding tags:

weak-randomness

Root cause: bad RNG Impact: manipulate winner

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!