Summary
Rarity of NFT is not properly calculated
Vulnerability Details
The function snek_raffle:fulfillRandomWords
calculates the winner of the raffle
@internal
def fulfillRandomWords(request_id: uint256, random_words: uint256[MAX_ARRAY_SIZE]):
index_of_winner: uint256 = random_words[0] % len(self.players)
recent_winner: address = self.players[index_of_winner]
self.recent_winner = recent_winner
self.players = []
self.raffle_state = RaffleState.OPEN
self.last_timestamp = block.timestamp
@> rarity: uint256 = random_words[0] % 3
self.tokenIdToRarity[ERC721._total_supply()] = rarity
log WinnerPicked(recent_winner)
ERC721._mint(recent_winner, ERC721._total_supply())
send(recent_winner, self.balance)
However, the command that calculates the rarity of the NFT is not working as expected!
Impact
Instead of the proper distribution of NFT rarity, every type of NFT is 33,33% possible to come out
Tools Used
Manual review
Recommendations
Fix the calculation of the rarity
@internal
def fulfillRandomWords(request_id: uint256, random_words: uint256[MAX_ARRAY_SIZE]):
index_of_winner: uint256 = random_words[0] % len(self.players)
recent_winner: address = self.players[index_of_winner]
self.recent_winner = recent_winner
self.players = []
self.raffle_state = RaffleState.OPEN
self.last_timestamp = block.timestamp
- rarity: uint256 = random_words[0] % 3
+ rarity: uint256 = 0
+ valueOfRarity: uint256 = random_words[0] % 100
+ if (valueOfRarity <= 5):
+ rarity = 2
+ elif (valueOfRarity <= 30):
+ rarity = 1
self.tokenIdToRarity[ERC721._total_supply()] = rarity
log WinnerPicked(recent_winner)
ERC721._mint(recent_winner, ERC721._total_supply())
send(recent_winner, self.balance)