Submission Details
Severity:
Wrong NFT rarity calculation in `snek_raffle.vy::fulfillRandomWords`
Summary
Wrong NFT rarity calculation in snek_raffle.vy::fulfillRandomWords, this breaks the business logic of the contract and devalues the rarity of NFTs.
Vulnerability Details
This calculates as rarity: uint256 = random_words[0] % 3, so all rarities will have the same chance ~ 33.(3)%
But according to the docs:
Brown Snek - 70% Chance to get
Jungle Snek - 25% Chance to get
Cosmic Snek - 5% Chance to get
Impact
This breaks the business logic of the contract and devalues the rarity of NFTs
Tools Used
Manual check
Recommendations
We should add a rarity calculation logic, i.e.
- rarity: uint256 = random_words[0] % 3
- self.tokenIdToRarity[ERC721._total_supply()] = rarity
+ rarity: uint256 = random_words[0] % (COMMON_RARITY + RARE_RARITY + LEGENDARY_RARITY)
+ tokenId: uint256 = ERC721._total_supply()
+ if (rarity < COMMON_RARITY):
+ self.tokenIdToRarity[tokenId] = COMMON_RARITY
+ elif (rarity < COMMON_RARITY + RARE_RARITY):
+ self.tokenIdToRarity[tokenId] = RARE_RARITY
+ else:
+ self.tokenIdToRarity[tokenId] = LEGENDARY_RARITY
Updates
Lead Judging Commences
inallhonesty over 1 year ago
Submission Judgement Published Assigned finding tags:
Rarity is 1/3 instead of what the docs say
Rewards breakdown
nSLOC
136This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.