Closed code423n4 closed 1 year ago
1: ArtGobblers.sol may not be able to set a new RandProvider
if current VRF is sunset or invalid will change RandProvider by call upgradeRandProvider() upgradeRandProvider() detect gobblerRevealsData.waitingForSeed!=true But it is very possible that the old RandProvider is no longer valid and can no longer provide randomSeed again, resulting in waitingForSeed always being true, thus making it impossible to change the RandProvider Suggest adding an expiration time
function upgradeRandProvider(RandProvider newRandProvider) external onlyOwner {
// Revert if waiting for seed, so we don't interrupt requests in flight.
--- if (gobblerRevealsData.waitingForSeed) revert SeedPending(); +++ if (gobblerRevealsData.waitingForSeed) { +++ if (block.timestamp <= gobblerRevealsData.nextRevealTimestamp + 1 days) revert SeedPending(); +++ gobblerRevealsData.waitingForSeed = false; +++ gobblerRevealsData.toBeRevealed = 0; }
randProvider = newRandProvider; // Update the randomness provider.
emit RandProviderUpgraded(msg.sender, newRandProvider);
}
Dup of https://github.com/code-423n4/2022-09-artgobblers-findings/issues/153
Judge has assessed an item in Issue #160 as Medium risk. The relevant finding follows: