Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Potential Front-Running Attack in selectWinner and refund Functions

r0p

Title: Potential Front-Running Attack in selectWinner and refund Functions
Impact: Medium — Attacker avoids losses or steals owner fees via mempool front-running.
Likelihood: Medium — Requires mempool monitoring, feasible for MEV bots.
Reference Files: src/PuppyRaffle.sol:96-105,125-154

Description:

Description

Both selectWinner() and refund() are public functions with no front-running protection. An attacker watching the mempool can see a pending selectWinner() transaction and submit a counter-transaction with higher gas. The vulnerable functions:

function refund(uint256 playerIndex) public { ... } // callable by anyone

function selectWinner() external { ... } // visible in mempool

An attacker can avoid losses by refunding before selection, or manipulate the prize pool by adding entries.

Risk

Impact: Medium. Attacker avoids losing their entrance fee by front-running selectWinner() with refund(). Can also pad entries to shift the winner index and steal owner fees.
Likelihood: Medium. MEV bots routinely monitor mempools for profitable front-running opportunities. This attack requires no special privileges.
An attacker monitoring the mempool can exit the raffle every time they are about to lose, making their expected profit strictly positive.

Proof of Concept

Attacker monitors mempool for selectWinner() transactions. They simulate the outcome. If about to lose → submit refund(attackerIndex) with higher gas to execute first. When selectWinner() runs, the attacker has already exited with their full entrance fee returned.

Recommended Mitigation

Add a two-step timelock to prevent same-block front-running:

uint256 public selectWinnerInitiated;

function initiateSelectWinner() external { selectWinnerInitiated = block.timestamp + 1 hours; }

function selectWinner() external {

require(block.timestamp >= selectWinnerInitiated, "Too early");

selectWinnerInitiated = 0;

}

The 1-hour timelock forces a delay between initiating and executing winner selection, so an attacker cannot front-run within the same block — they would need to predict the outcome an hour in advance.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 4 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-07] Potential Front-Running Attack in `selectWinner` and `refund` Functions

## Description Malicious actors can watch any `selectWinner` transaction and front-run it with a transaction that calls `refund` to avoid participating in the raffle if he/she is not the winner or even to steal the owner fess utilizing the current calculation of the `totalAmountCollected` variable in the `selectWinner` function. ## Vulnerability Details The PuppyRaffle smart contract is vulnerable to potential front-running attacks in both the `selectWinner` and `refund` functions. Malicious actors can monitor transactions involving the `selectWinner` function and front-run them by submitting a transaction calling the `refund` function just before or after the `selectWinner` transaction. This malicious behavior can be leveraged to exploit the raffle in various ways. Specifically, attackers can: 1. **Attempt to Avoid Participation:** If the attacker is not the intended winner, they can call the `refund` function before the legitimate winner is selected. This refunds the attacker's entrance fee, allowing them to avoid participating in the raffle and effectively nullifying their loss. 2. **Steal Owner Fees:** Exploiting the current calculation of the `totalAmountCollected` variable in the `selectWinner` function, attackers can execute a front-running transaction, manipulating the prize pool to favor themselves. This can result in the attacker claiming more funds than intended, potentially stealing the owner's fees (`totalFees`). ## Impact - **Medium:** The potential front-running attack might lead to undesirable outcomes, including avoiding participation in the raffle and stealing the owner's fees (`totalFees`). These actions can result in significant financial losses and unfair manipulation of the contract. ## Recommendations To mitigate the potential front-running attacks and enhance the security of the PuppyRaffle contract, consider the following recommendations: - Implement Transaction ordering dependence (TOD) to prevent front-running attacks. This can be achieved by applying time locks in which participants can only call the `refund` function after a certain period of time has passed since the `selectWinner` function was called. This would prevent attackers from front-running the `selectWinner` function and calling the `refund` function before the legitimate winner is selected.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!