search

code-423n4 / 2022-12-forgeries-findings

0 stars 0 forks source link

If the subscription does not have enough funds the winner can not be chosen #274

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/VRFNFTRandomDraw.sol#L162

Vulnerability details

Impact

VRF's subscriptionId can be chosen by the drawer, and it is the drawer's responsibility to fund the subscription. If the drawer, maliciously or not, fails to do so, the draw will result in no winners, and the drawer can re-claim the offered NFT.

Recommended Mitigation Steps

Charge the required amount of Links from the drawer before creating the raffle, and use them to fund a protocol owned VRF subscription and use that in all draws instead of letting drawers choose their own subscription.

c4-judge commented 1 year ago

gzeon-c4 marked the issue as duplicate of #194

c4-judge commented 1 year ago

gzeon-c4 marked the issue as satisfactory