First Flight #2: Puppy Raffle

First Flight #2

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Inadequate Randomness in selectWinner Function

Chandr

Summary

The selectWinner function within the provided smart contract employs an unreliable randomness generation method to determine NFT rarity. The existing approach's poor randomness exposes it to exploitation by attackers seeking to influence the result in their favor.

Vulnerability Details

The vulnerability lies in the generation of rarity for an NFT using the following code:

uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

The issue with this implementation is that it relies on inputs (msg.sender and block.difficulty) that are not sufficiently random. An attacker with knowledge of these inputs could manipulate them to predict and control the NFT rarity outcome. This undermines the fairness and integrity of the rarity determination process, which may negatively impact the contract's functionality.

Impact

Manipulated Rarity: Malicious actors can exploit the weakness in randomness to control and influence NFT rarity, potentially gaining unfair advantages.
Loss of Trust: The vulnerability erodes trust in the contract and discourages participation, as participants may perceive the process as unfair.
Financial Implications: The monetary value associated with different rarities can result in financial consequences for the contract and participants.

Tools Used

manual

Recommendations

Secure Randomness Source: Implement a more secure and unpredictable source of randomness for determining NFT rarity. Consider using an external oracle, Chainlink VRF (Verifiable Random Function), or another trusted solution for generating random numbers securely.
Third-party Auditing: Engage a third-party auditor with expertise in randomness generation to review and validate the fairness of the rarity determination process.
Transparent Rarity Generation: Clearly document and communicate the process for determining NFT rarity, ensuring participants are aware of the fairness and security measures in place.
Testing and Evaluation: Thoroughly test the contract to identify any potential vulnerabilities, especially those related to manipulation of the rarity determination process.

Updates

Lead Judging Commences

Hamiltonite Lead Judge almost 2 years ago

Submission Judgement Published

Validated

Assigned finding tags:

weak-randomness

Root cause: bad RNG Impact: manipulate winner

Rewards breakdown

nSLOC

143

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.