The getPseudoRand function uses a weak PRNG, based on blockhash(block.number - 1), which can be calculated on-chain by any smart contract beforehand. With the assist of Flashbots, users can revert transactions without paying gas fees to the miner. Thus, before interacting with the Vault, a user can calculate the result of randomness first to see if it is satisfying. If not, he reverts the transactions and retries multiple times as his desire. In short, the output randomness is predictable and potentially controllable (especially when the variable modulus is not large enough) without the user paying gas fees but only a tip to the miner.
In both redeemTo and swapTo functions, the directRedeemFee and redeemFee seem to be different. Assuming that directRedeemFee is greater than redeemFee, a user could exploit the potentially controllable output of randomness to redeem or swap specific chosen NFTs but avoid paying directRedeemFee at the same time.
Handle
shw
Vulnerability details
Impact
The
getPseudoRandfunction uses a weak PRNG, based onblockhash(block.number - 1), which can be calculated on-chain by any smart contract beforehand. With the assist of Flashbots, users can revert transactions without paying gas fees to the miner. Thus, before interacting with the Vault, a user can calculate the result of randomness first to see if it is satisfying. If not, he reverts the transactions and retries multiple times as his desire. In short, the output randomness is predictable and potentially controllable (especially when the variablemodulusis not large enough) without the user paying gas fees but only a tip to the miner.In both
redeemToandswapTofunctions, thedirectRedeemFeeandredeemFeeseem to be different. Assuming thatdirectRedeemFeeis greater thanredeemFee, a user could exploit the potentially controllable output of randomness to redeem or swap specific chosen NFTs but avoid payingdirectRedeemFeeat the same time.Proof of Concept
Referenced code: NFTXVaultUpgradeable.sol#L413-L427 NFTXVaultUpgradeable.sol#L245-L247 NFTXVaultUpgradeable.sol#L280-L282
Tools Used
None
Recommended Mitigation Steps
Use Chainlink VRF to generate randomness.