The function MondrianWallet:tokenURI
does not provide an equal distribution among the four possible URIs. One URI is favored significantly over the others.
The function uses the tokenId % 10 operation to determine which URI to return. This results in the following mappings:
tokenId % 10 == 0 maps to ART_ONE
tokenId % 10 == 1 maps to ART_TWO
tokenId % 10 == 2 maps to ART_THREE
All other results of tokenId % 10 (3 through 9) map to ART_FOUR.
Here’s a breakdown of the distribution:
ART_ONE is returned for 10% of token IDs (those ending in 0).
ART_TWO is returned for 10% of token IDs (those ending in 1).
ART_THREE is returned for 10% of token IDs (those ending in 2).
ART_FOUR is returned for 70% of token IDs (those ending in 3 through 9).
Clearly, the distribution is not equal among the four URIs. ART_FOUR is significantly more common than the others.
ART_FOUR will be more distributed than other ARTs which is not compliant with the NFT part annoucement:
You'll see the tokenURI function returns one of 4 random Mondrian art paintings. Each should have equal distribution and be random.
Manual review
Change the modulo operation from 10 to 4, every URI will be selected 25% of the time, assuming tokenId values are uniformly distributed. Here’s how you could adjust the function:
This change ensures that each URI is equally likely to be assigned to any new tokenId minted, assuming a sequential or uniformly random distribution of tokenId values.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.