Summary
RAFFLE_DURATION is declared as immutable but contains a constant value. This setup could potentially limit flexibility for the deployer and may result in a less optimal deployment experience. Given its immutability, it might imply an expectation for the deployer to provide a value during deployment.
Vulnerability Details
Checkout the Line 72 and Line 102.
.
.
.
VRF_COORDINATOR: immutable(VRFCoordinatorV2)
GAS_LANE: immutable(bytes32)
SUBSCRIPTION_ID: immutable(uint64)
ENTRANCE_FEE: immutable(uint256)
RAFFLE_DURATION: immutable(uint256)
-------------------------^
.
.
.
@deploy
@payable
def __init__(
subscription_id: uint64,
gas_lane: bytes32,
entrance_fee: uint256,
vrf_coordinator_v2: address,
):
ERC721.__init__("Snek Raffle", "SNEK", "", "snek raffle", "v0.0.1")
SUBSCRIPTION_ID = subscription_id
GAS_LANE = gas_lane
ENTRANCE_FEE = entrance_fee
VRF_COORDINATOR = VRFCoordinatorV2(vrf_coordinator_v2)
RAFFLE_DURATION = 86400
---------------------------^
self.raffle_state = RaffleState.OPEN
self.last_timestamp = block.timestamp
self.rarityToTokenURI[COMMON] = COMMON_SNEK_URI
self.rarityToTokenURI[RARE] = RARE_SNEK_URI
self.rarityToTokenURI[LEGEND] = LEGEND_SNEK_URI
.
.
.
Impact
The deployer may experience a less favorable deployment process.
Tools Used
Manual Review
Recommendations
Please allow deployer to provide a value for RAFFLE_DURATION and accept it as an argument on constructor and assign it to RAFFLE_DURATION.
Update the Raffle's Constructor like below...
# Constructor
@deploy
@payable
def __init__(
subscription_id: uint64,
gas_lane: bytes32, # keyHash
entrance_fee: uint256,
vrf_coordinator_v2: address,
+ raffle_duration: uint256
):
ERC721.__init__("Snek Raffle", "SNEK", "", "snek raffle", "v0.0.1")
SUBSCRIPTION_ID = subscription_id
GAS_LANE = gas_lane
ENTRANCE_FEE = entrance_fee
VRF_COORDINATOR = VRFCoordinatorV2(vrf_coordinator_v2)
- RAFFLE_DURATION = 86400 # ~1 day
+ RAFFLE_DURATION = raffle_duration # Raffle interval set by the deployer
self.raffle_state = RaffleState.OPEN
self.last_timestamp = block.timestamp
self.rarityToTokenURI[COMMON] = COMMON_SNEK_URI
self.rarityToTokenURI[RARE] = RARE_SNEK_URI
self.rarityToTokenURI[LEGEND] = LEGEND_SNEK_URI
Or, simply make RAFFLE_DURATION a constant if snek_raffle doesn't want a value from the deployer on deployment. Update the snek_raffle.vy like below...
.
.
.
## Constants
MAX_ARRAY_SIZE: constant(uint256) = 1
REQUEST_CONFIRMATIONS: constant(uint16) = 3
CALLBACK_GAS_LIMIT: constant(uint32) = 100000
NUM_WORDS: constant(uint32) = 1
MAX_NUMBER_OF_PLAYERS: constant(uint256) = 10000
EMPTY_BYTES: constant(Bytes[32]) = b"\x00"
+ RAFFLE_DURATION: constant(uint256) = 86400
.
.
.
## Immutables
VRF_COORDINATOR: immutable(VRFCoordinatorV2)
GAS_LANE: immutable(bytes32)
SUBSCRIPTION_ID: immutable(uint64)
ENTRANCE_FEE: immutable(uint256)
- RAFFLE_DURATION: immutable(uint256)
.
.
.
# Constructor
@deploy
@payable
def __init__(
subscription_id: uint64,
gas_lane: bytes32, # keyHash
entrance_fee: uint256,
vrf_coordinator_v2: address,
):
ERC721.__init__("Snek Raffle", "SNEK", "", "snek raffle", "v0.0.1")
SUBSCRIPTION_ID = subscription_id
GAS_LANE = gas_lane
ENTRANCE_FEE = entrance_fee
VRF_COORDINATOR = VRFCoordinatorV2(vrf_coordinator_v2)
- RAFFLE_DURATION = 86400 # ~1 day
self.raffle_state = RaffleState.OPEN
self.last_timestamp = block.timestamp
self.rarityToTokenURI[COMMON] = COMMON_SNEK_URI
self.rarityToTokenURI[RARE] = RARE_SNEK_URI
self.rarityToTokenURI[LEGEND] = LEGEND_SNEK_URI
