Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: medium
Valid

The function `MondrianWallet:tokenURI` does not provide an equal distribution among the four possible URIs. One URI is favored significantly over the others.

Summary

The function MondrianWallet:tokenURI does not provide an equal distribution among the four possible URIs. One URI is favored significantly over the others.

Vulnerability Details

The function uses the tokenId % 10 operation to determine which URI to return. This results in the following mappings:

  • tokenId % 10 == 0 maps to ART_ONE

  • tokenId % 10 == 1 maps to ART_TWO

  • tokenId % 10 == 2 maps to ART_THREE

  • All other results of tokenId % 10 (3 through 9) map to ART_FOUR.

Here’s a breakdown of the distribution:

ART_ONE is returned for 10% of token IDs (those ending in 0).
ART_TWO is returned for 10% of token IDs (those ending in 1).
ART_THREE is returned for 10% of token IDs (those ending in 2).
ART_FOUR is returned for 70% of token IDs (those ending in 3 through 9).

Clearly, the distribution is not equal among the four URIs. ART_FOUR is significantly more common than the others.

Impact

ART_FOUR will be more distributed than other ARTs which is not compliant with the NFT part annoucement:

You'll see the tokenURI function returns one of 4 random Mondrian art paintings. Each should have equal distribution and be random.

Tools Used

Manual review

Recommendations

Change the modulo operation from 10 to 4, every URI will be selected 25% of the time, assuming tokenId values are uniformly distributed. Here’s how you could adjust the function:

function tokenURI(uint256 tokenId) public view override returns (string memory) {
if (ownerOf(tokenId) == address(0)) {
revert MondrainWallet__InvalidTokenId();
}
uint256 modNumber = tokenId % 4; // Change modulo from 10 to 4
if (modNumber == 0) {
return ART_ONE;
} else if (modNumber == 1) {
return ART_TWO;
} else if (modNumber == 2) {
return ART_THREE;
} else {
return ART_FOUR;
}
}

This change ensures that each URI is equally likely to be assigned to any new tokenId minted, assuming a sequential or uniformly random distribution of tokenId values.

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

NFT's should have equal distribution

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.