initialize() does not check if the token id interval (drawingTokenEndId-drawingTokenStartId) is valid for the NFT collection. A range that does not exist can be passed to initiate a raffle, and the raffle may result in no winners. The issue can be abused by a malicious drawer.
Tools Used
Manual audit
Recommended Mitigation Steps
Check if the passed drawingTokenStartId and drawingTokenEndId are in the range of the existing tokens.
Lines of code
https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/VRFNFTRandomDraw.sol#L112
Vulnerability details
Impact
initialize() does not check if the token id interval (drawingTokenEndId-drawingTokenStartId) is valid for the NFT collection. A range that does not exist can be passed to initiate a raffle, and the raffle may result in no winners. The issue can be abused by a malicious drawer.
Tools Used
Manual audit
Recommended Mitigation Steps
Check if the passed drawingTokenStartId and drawingTokenEndId are in the range of the existing tokens.