First Flight #11: Snek-Raffle
First Flight #11
Beginner FriendlyFoundryNFT
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Incorrect NFT rarity distribution misleads users

gimoquoi

Summary

The specification states that three NFTs are awarded with probabilities of 70%, 25%, 5%. However, with the current contract implementation, NFTs are drawn with equal probability.

Vulnerability Details

According to the specification, the three winner NFTs vary in their rarity (Brown - 70%, Jungle - 25%, Cosmic - 5%).

The rarity of the winner NFT is determined in the function fulfillRandomWords:

rarity: uint256 = random_words[0] % 3
self.tokenIdToRarity[ERC721._total_supply()] = rarity

random_words[0] % 3 leads to the three possible outcomes 0 (COMMON), 1 (RARE), 2 (LEGEND) with equal probability.

Impact

High: While protocol funds are not at risk from this incorrect implementation, the varying rarity of the winner NFTs is a major feature of the protocol; therefore, its incorrect implementation is a severe disruption to protocol functionality.

Tools Used

Manual code inspection.

Recommendations

Implement the correct assignment random number to rarity. Replace:

rarity: uint256 = random_words[0] % 3
self.tokenIdToRarity[ERC721._total_supply()] = rarity

with:

rarity: uint256 = random_words[0] % 100 # creates values ranging from 0 to 99
if (rarity < COMMON_RARITY):
self.tokenIdToRarity[ERC721._total_supply()] = COMMON
elif (rarity < COMMON_RARITY + RARE_RARITY):
self.tokenIdToRarity[ERC721._total_supply()] = RARE
else:
self.tokenIdToRarity[ERC721._total_supply()] = LEGEND
Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

Rarity is 1/3 instead of what the docs say

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.