Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: medium
Valid

randomness problem in the tokenuri function

Summary

This function is typically used within ERC-721 token standards to define how the URI (link) for an NFT's metadata is retrieved.
It checks if the tokenId (unique identifier of the NFT) is valid (not minted yet).
It then uses the modulo operator (%) to get the remainder when dividing tokenId by 10.
Based on the remainder value:
10,20,30,330, return the same URI the same with 11,21,3331

Vulnerability Details

The provided function tokenURI can partially help with randomly distributing NFTs to 4 accounts, but it needs modifications for a truly random process. Here's a breakdown:

What the Function Does:
Limitations for Random Distribution:
This approach isn't truly random because it deterministically assigns NFTs based on the order they are minted (their tokenId).
The first 4 minted NFTs will always get assigned a specific art type based on their order.

Here are two approaches to achieve a more random distribution:
Verifiable Random Function (VRF):

Use a VRF service like Chainlink VRF to generate a provably random number on-chain.
Use this random number to select the art type for each NFT during the minting process.
Off-chain Randomness with Reveal:

Implement a system where minting assigns a random but temporary identifier to the NFT.
Store the mapping between minted NFTs and their intended art type off-chain (securely).
Later, have a separate function reveal the actual art type associated with each NFT's temporary identifier.

Impact

Tools Used

manuale review , chatgpt

Recommendations

Here are two approaches to achieve a more random distribution:
Verifiable Random Function (VRF):

Use a VRF service like Chainlink VRF to generate a provably random number on-chain.
Use this random number to select the art type for each NFT during the minting process.
Off-chain Randomness with Reveal:

Implement a system where minting assigns a random but temporary identifier to the NFT.
Store the mapping between minted NFTs and their intended art type off-chain (securely).
Later, have a separate function reveal the actual art type associated with each NFT's temporary identifier.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

NFTs are not random

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.