Chainlink's VRF v2 is not available on zkSync blockchain
Summary
The smart contract relies on getting random numbers through Chainlink's VRF v2 service. Currently, this service is not available on the zkSync blockchain. The contract cannot function without a valid VRF Coordinator address on the target blockchain.
Vulnerability Details
As of March 2024, Chainlink does not provide its VRF v2 service on the zkSync rollup ( https://docs.chain.link/vrf/v2/subscription/supported-networks , accessed 3/14/2024).
Impact
Medium: Deployment to zkSync has to be delayed until Chainlink provides its VRF v2 service natively on zkSync. This creates a dependency on external resources.
If the contract is not expected to be functional when deployed to a target blockchain other than Ethereum main-net, this has been considered as a "Medium" vulnerability before (for example, https://www.codehawks.com/finding/clqqv2syu00204d0wpgq5oza7 ).
Tools Used
Manual code inspection.
Recommendations
Rewrite the contract to not rely on Chainlink's VRF service. An alternative provider for random numbers could be Randomizer.AI ( https://randomizer.substack.com/p/introducing-randomizerai-random-numbers-22-06-25 ).
Lead Judging Commences
Chainlink VRF is not available on zkSync
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.