First Flight #15: Mondrian Wallet

First Flight #15

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

randomness problem in the tokenuri function

jo13

Summary

This function is typically used within ERC-721 token standards to define how the URI (link) for an NFT's metadata is retrieved.
It checks if the tokenId (unique identifier of the NFT) is valid (not minted yet).
It then uses the modulo operator (%) to get the remainder when dividing tokenId by 10.
Based on the remainder value:
10,20,30,330, return the same URI the same with 11,21,3331

Vulnerability Details

The provided function tokenURI can partially help with randomly distributing NFTs to 4 accounts, but it needs modifications for a truly random process. Here's a breakdown:

What the Function Does:
Limitations for Random Distribution:
This approach isn't truly random because it deterministically assigns NFTs based on the order they are minted (their tokenId).
The first 4 minted NFTs will always get assigned a specific art type based on their order.

Here are two approaches to achieve a more random distribution:
Verifiable Random Function (VRF):

Use a VRF service like Chainlink VRF to generate a provably random number on-chain.
Use this random number to select the art type for each NFT during the minting process.
Off-chain Randomness with Reveal:

Implement a system where minting assigns a random but temporary identifier to the NFT.
Store the mapping between minted NFTs and their intended art type off-chain (securely).
Later, have a separate function reveal the actual art type associated with each NFT's temporary identifier.

Impact

Tools Used

manuale review , chatgpt

Recommendations

Here are two approaches to achieve a more random distribution:
Verifiable Random Function (VRF):

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

NFTs are not random

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.