NFTs are not equally distributed due to an unknown `tokenId` parameter value and a modulo operation bug in `MondrianWallet::tokenURI`, breaking the protocol invariant.
Description:
The tokenURI function expects a tokenId as a parameter. If the tokenId value is chosen randomly, it can result in unequal distribution of NFTs. The vulnerability is located in MondrianWallet.sol#L165, where a modulo operation tokenId % 10 is performed. This operation calculates the remainder, which is intended to be used to identify the token URI. However, the issue lies in the chosen modulus of 10. The protocol only provides 4 different types of NFTs, but the given modulo operation can yield a remainder of 0-9 depending on the numerical value of tokenId.
Impact:
An issue with the implementation of the tokenURI function in the modulo operation could cause NFTs to be distributed unevenly, with the NFT with the token URI of ART_FOUR being distributed significantly more than others. In fact, if a numeric tokenId value for paintings ART_ONE, ART_TWO or/and ART_THREE ends on a number in the range of 3-9, then the tokenURI function returns a token URI of ART_FOUR and not the intended token URI. This breaks the protocol invariant.
Tools Used
Manual review, vscode
Recommended Mitigation:
Consider making the following change to the tokenURIfunction:
Lead Judging Commences
NFT's should have equal distribution
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.