The Snek-Raffle project fails to implement the VRFConsumerBaseV2
interface properly, leading to incompatibilities with the Chainlink's VRF service. This finding was rated as high risk because it undermines the correct operation of the raffle.
The implemented rawFulfillRandomWords()
function in the Snek-raffle contract is not matching the one expected by the VRFConsumerBaseV2
interface.
Notice the function selectors above use a fixed array (uint256[MAX_ARRAY_SIZE]
). However, in order to be able to interact with Chainlink's VRF, the contract must implement VRFConsumerBaseV2 with dynamic arrays (uint256[] memory randomWords
in Solidity or DynArray[uint256, 10]
in Vyper).
See the following related StackExchange question for more information: https://ethereum.stackexchange.com/questions/132894/match-a-solidity-function-selector-with-a-dynamic-array-to-a-vyper-function-sele
As indicated in the summary, not being able to properly interact with Chainlink's VRF is undermining the correct operation of the raffle.
Manual analysis.
It is recommended to make the suggested changes below in order to be able to make use of Chainlink's VRF:
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.