8 matches found
Function fulfillRandomWords in VRFNFTRandomDraw contract must not revert
Lines of code Vulnerability details The VRFNFTRandomDraw contract implements the Chainlink VFR feature to pull random data to select the raffle winner. As per their security guidelines the implementation of the fulfillRandomWords function must not revert. Impact If the fulfillRandomWords function...
Use safeTransferFrom instead of transferFrom for ERC721 transfers
Lines of code Vulnerability details Impact In the contract VRFNFTRandomDraw.sol every transfer of ERC721 are done with the transferFrom instead of the recommended safeTransferFrom. This transferFrom does not check whether the receiver is capable of proper handling of NFTs. Proof of Concept If the...
The recoverTimelock does not sufficiently protect against an admin withdrawing the NFT before a user is able to claim it
Lines of code Vulnerability details Impact When a VRFNFTRandomDraw contract is initialized, the recoverTimelock variable is set. The variable should be used to prevent the admin from calling the lastResortTimelockOwnerClaimNFT function before a certain amount of time has passed to ensure that the...
Bad actor can burn VRFCoordinatorV2 LINK's balance
Lines of code Vulnerability details Impact All VRFNFTRandomDraw instances share the same VRFCoordinatorV2 address, and LINK fees are deducted from this smart contract. There are a couple of issues that may be exploited by malicious actor to overinflate calls to VRF and in lead to griefing, e.g. B...
Draw admin/owner can rug the winner after recoverTimelock expires.
Lines of code Vulnerability details Impact The admin/owner of VRFNFTRandomDraw can wait for recoverTimelock to expire before making the draw. This way he can use lastResortTimelockOwnerClaimNFT to take back the reward NFT from the contract without any time to allow for the winner to claim. He cou...
Malicious ChainLink's VRF manager can decide to not whitelist VRFNFTRandomDraw or brick ongoing raffles
Lines of code Vulnerability details Impact ChainLinks VRF manager has priviledged position, as all VRFNFTRandomDraw instances share the same VRFCoordinatorV2 address, and have to be whitelisted in order to be able to send requestRandomWords function. There is centralization risk in this case, tha...
A compromised owner of VRFNFTRandomDraw can claim the NFT to another accomplice addresss
Lines of code Vulnerability details Impact Detailed description of the impact of this finding. A compromised owner of VRFNFTRandomDraw can claim the NFT to another accomplice addresss Proof of Concept Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other...
In case the winner is the address(0)
Lines of code Vulnerability details Impact Temporary freezing NFT this can be more than one period Proof of Concept On VRFNFTRandomDraw.fulfillRandomWords 254 request.currentChosenTokenId = 255 randomWords0 % tokenRange + 256 settings.drawingTokenStartId; In case ownerOfrequest.currentChosenToken...