Token URIs for minted NFTs are not evenly distributed
Summary
When querying a tokenURI from MondrianWallet, the calculation to determine the token URI is incorrect. This results in token URIs not being evenly distributed, which is the intention of this protocol.
Vulnerability Details
According to the protocol's description, each NFT that was minted via MondrianWallet is supposed to have one of four token URIs and the token URIs are supposed to be evenly distributed to tokens.
The protocol tries to achieve this by using the modulus operator over a given tokenId.
The important line where this happens is here.
Here's the entire tokenURI function for reference:
The expression tokenId % 10 will always return the remainder which should determine the predefined token URIs.
The conditions for modNumber expect one of the value 0, 1 and 2 and default to the ART_FOUR token URI.
To ensure the token URIs are evently distributed, the function needs to cycle through 0, 1, 2, 3 and then repeat. Since for any modNumber greater than 2 we get the same token URI, which violates the property of token URIs being evenly distributed.
This is currently the case as tokenId % 10 will not result in evenly distributed remainder values:
While token ids 1 and 2 will yield ART_TWO and ART_THREE respectively, token ids 3 - 9 will yield ART_FOUR. Only then the cycle repeats.
Impact
While this isn't a security vulnerability, it's at least a bug in the code which violates one of the protol's properties.
On average, most users will mint a token with token URI ART_FOUR.
Tools Used
Manual review
Recommended Mitigation
To fix this, the modulus expression needs to use 4 instead of 10 as this will ensure evenly distributed token URIs:
Lead Judging Commences
NFT's should have equal distribution
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.