VRF's subscriptionId can be chosen by the drawer, and it is the drawer's responsibility to fund the subscription. If the drawer, maliciously or not, fails to do so, the draw will result in no winners, and the drawer can re-claim the offered NFT.
Recommended Mitigation Steps
Charge the required amount of Links from the drawer before creating the raffle, and use them to fund a protocol owned VRF subscription and use that in all draws instead of letting drawers choose their own subscription.
Lines of code
https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/VRFNFTRandomDraw.sol#L162
Vulnerability details
Impact
VRF's subscriptionId can be chosen by the drawer, and it is the drawer's responsibility to fund the subscription. If the drawer, maliciously or not, fails to do so, the draw will result in no winners, and the drawer can re-claim the offered NFT.
Recommended Mitigation Steps
Charge the required amount of Links from the drawer before creating the raffle, and use them to fund a protocol owned VRF subscription and use that in all draws instead of letting drawers choose their own subscription.