search

code-423n4 / 2022-12-forgeries-findings

0 stars 0 forks source link

There is no check for tokenId interval to confirm if the tokens actually exist #265

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/VRFNFTRandomDraw.sol#L112

Vulnerability details

Impact

initialize() does not check if the token id interval (drawingTokenEndId-drawingTokenStartId) is valid for the NFT collection. A range that does not exist can be passed to initiate a raffle, and the raffle may result in no winners. The issue can be abused by a malicious drawer.

Tools Used

Manual audit

Recommended Mitigation Steps

Check if the passed drawingTokenStartId and drawingTokenEndId are in the range of the existing tokens.

c4-judge commented 1 year ago

Duplicate of https://github.com/code-423n4/2022-12-forgeries-findings/issues/281

gzeoneth commented 1 year ago

known limitation and still fair