Incorrect rarity calculation leads to 1 in 3 chance to get each snek type
Summary
When a user wins a raffle, they are to be minted a new snek. What type of snek they win is to be determined as a percentage chance based on that types rarity, here is an excerpt from the docs that confirms this:
However, currently the rarity is just being determined by a random 1/3 chance using the Chainlink VRF random value.
Vulnerability Details
The rarity calculation takes place in fullfillRandomWords() as part of the callback for Chainlink VRF. The current rarity calculation is as follows:
random_words[0] is the only element of an array of random uint256's generated by Chainlink VRF, by taking the modulus of 3 of that element, you 1 of 3 random numbers, 0, if the andom_words[0] divides evenly by 3, 1 if there would be a remained of one, or two if there would be a remained of 2. This results in a rarity chance that is 1/3 for each rarity type. As we can see from the rarity constants (and earlier in the docs):
The intended rarity is 70% for common, 25% for rare and 5% for legendary.
Impact
This results in there being no rarity diversity between the snek nfts, seriously hurting their potential value as there is no supply difference between a common snek and a legendary snek.
Tools Used
Manual Review
Recommendations
I recommend you remove the current rarity logic and replace it with the following, or equivalent.
Lead Judging Commences
Rarity is 1/3 instead of what the docs say
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.