The function `MondrianWallet:tokenURI` does not provide an equal distribution among the four possible URIs. One URI is favored significantly over the others.
Summary
The function MondrianWallet:tokenURI does not provide an equal distribution among the four possible URIs. One URI is favored significantly over the others.
Vulnerability Details
The function uses the tokenId % 10 operation to determine which URI to return. This results in the following mappings:
tokenId % 10 == 0 maps to ART_ONE
tokenId % 10 == 1 maps to ART_TWO
tokenId % 10 == 2 maps to ART_THREE
All other results of tokenId % 10 (3 through 9) map to ART_FOUR.
Here’s a breakdown of the distribution:
ART_ONE is returned for 10% of token IDs (those ending in 0).
ART_TWO is returned for 10% of token IDs (those ending in 1).
ART_THREE is returned for 10% of token IDs (those ending in 2).
ART_FOUR is returned for 70% of token IDs (those ending in 3 through 9).
Clearly, the distribution is not equal among the four URIs. ART_FOUR is significantly more common than the others.
Impact
ART_FOUR will be more distributed than other ARTs which is not compliant with the NFT part annoucement:
You'll see the tokenURI function returns one of 4 random Mondrian art paintings. Each should have equal distribution and be random.
Tools Used
Manual review
Recommendations
Change the modulo operation from 10 to 4, every URI will be selected 25% of the time, assuming tokenId values are uniformly distributed. Here’s how you could adjust the function:
This change ensures that each URI is equally likely to be assigned to any new tokenId minted, assuming a sequential or uniformly random distribution of tokenId values.
Lead Judging Commences
NFT's should have equal distribution
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.