Participants are mislead by the rarity chances.
Summary
The drop chances defined in the state variables section for the COMMON and LEGENDARY are misleading.
Vulnerability Details
The 3 rarity scores are defined as follows:
This implies that out of a really big number of NFT's, 70% should be of common rarity, 25% should be of rare rarity and the last 5% should be legendary. The selectWinners function doesn't implement these numbers.
The rarity variable in the code above has a possible range of values within [0;99] (inclusive)
This means that rarity <= COMMON_RARITY condition will apply for the interval [0:70], the rarity <= COMMON_RARITY + RARE_RARITY condition will apply for the [71:95] rarity and the rest of the interval [96:99] will be of LEGENDARY_RARITY
The [0:70] interval contains 71 numbers (70 - 0 + 1)
The [71:95] interval contains 25 numbers (95 - 71 + 1)
The [96:99] interval contains 4 numbers (99 - 96 + 1)
This means there is a 71% chance someone draws a COMMON NFT, 25% for a RARE NFT and 4% for a LEGENDARY NFT.
Impact
Depending on the info presented, the raffle participants might be lied with respect to the chances they have to draw a legendary NFT.
Tools Used
Manual review
Recommendations
Drop the = sign from both conditions:
Lead Judging Commences
wrong nft rarity
71% 25% 4%
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.