First Flight #11: Snek-Raffle

First Flight #11

Beginner FriendlyFoundryNFT

100 EXP

View results

Previous Next

Submission Details

Severity: low

Valid

`Chainlink VRF` is not supported on `ZKSync` chain

bube

Summary

The protocol Snek Raffle uses Chainlink VRF for selecting of random winner. Also, the protocol will be deployed on three chains inluding ZKSync. But the ZKSync chain doesn't support Chainlink VRF.

Vulnerability Details

In the README is said that the Snek Raffle will be deployed in the following chains:

Chain(s) to deploy contract to:

- Ethereum

- Arbitrum

- ZKSync

Also, the protocol uses Chainlink VRF to generate a random number for picking a winner in the raffle:

def request_raffle_winner() -> uint256:

"""Request a random winner from the VRF Coordinator after a raffle has completed."""

is_open: bool = RaffleState.OPEN == self.raffle_state

time_passed: bool = (block.timestamp - self.last_timestamp) > RAFFLE_DURATION

has_players: bool = len(self.players) > 0

has_balance: bool = self.balance > 0

assert is_open and time_passed and has_players and has_balance, ERROR_NOT_ENDED

self.raffle_state = RaffleState.CALCULATING

@> request_id: uint256 = VRF_COORDINATOR.requestRandomWords(

GAS_LANE,

SUBSCRIPTION_ID,

REQUEST_CONFIRMATIONS,

CALLBACK_GAS_LIMIT,

NUM_WORDS

)

return ERC721._total_supply()

The problem is that the ZKSync chain doesn't support the Chainlink VRF.

Impact

The call to the Chainlink VRF for requesting randomness will fail because the ZKSync doesn't support Chainlink VRF and the protocol will not receive the random number for a picking a winner.

Here is a list with chains that supported Chainlink VRF:

https://docs.chain.link/vrf/v2/subscription/supported-networks

Tools Used

Manual Review

Recommendations

Create a custom solution for generating randomness off-chain and securely relaying it on-chain.

Updates

Lead Judging Commences

inallhonesty Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Chainlink VRF is not available on zkSync

Rewards breakdown

nSLOC

136

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.