`TokenURI` probability isn't equally distributed
Summary
Mondrian Wallet states that the tokenURI should maintain equal distribution. The source code indicates 7 out of 10 times, the Mondrian art painting selected would be ART_FOUR.
Vulnerability Details
The probability of getting ART_FOUR is bigger than getting every other art piece. This is because %10 can have 9 values (0,1,2,3,4,5,6,7,8,9) , and the if statement, only gives the first three arts to values 0,1,2 respectively. All other possible values, 3,4,5,6,7,8,9 are given ART_FOUR
Impact
Low, as it does not impact the functioning of the wallet
Tools Used
Manual Review
Recommendations
Instead of using tokenId % 10;, it is recommended to use tokenId % 4;. This will create an equal distribution of the token Uri.
It is also worth mentioning that this is not a randomized source, as anyone can wait and listen to the blockchain to get a specific Mondrian art painting. Implementing an Oracle could provide a real random source.
Lead Judging Commences
NFT's should have equal distribution
NFTs are not random
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.