Callback Gas Limit Too Low
Summary
When using Chainlink's VRF, the callback gas limit specifies the maximum amount of gas someone is willing to spend for completing the VRF callback function. Projects can define this limit by specifying the callbackGasLimit value in the requests of random words. Note that you cannot put a value larger than maxGasLimit of the VRF Coordinator contract.
Fore more information, visit the official documentation: https://docs.chain.link/vrf/v2/subscription and https://docs.chain.link/vrf/v2/direct-funding/examples/get-a-random-number
Vulnerability Details
The Snek-Raffle contract defines a constant CALLBACK_GAS_LIMIT for determining the callback gas limit when calling requestRandomWords() to the ChainLink's VRF in the function request_raffle_winner().
However, knowing that such function contains interactions with other contracts (minting of an NFT) and sending ether,
Impact
Users might be unable to claim their raffle rewards due to this low limit.
Tools Used
Manual analysis.
Recommendations
Consider increasing the value of the CALLBACK_GAS_LIMIT constant.
Also, as recommended by Chainlink, evaluate simplifying the logic of the fulfillRandomWords() function by simply storing the randomness and taking more complex follow-on actions in separate contract calls made by you, your users, or an Automation Node.
Lead Judging Commences
CALLBACK_GAS_LIMIT too low
CALLBACK_GAS_LIMIT too low
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.