Malicious ChainLink's VRF manager can decide to not whitelist VRFNFTRandomDraw or brick ongoing raffles

[code423n4]

Lines of code

https://github.com/code-423n4/2022-12-forgeries/blob/main/src/VRFNFTRandomDraw.sol#L162-L167

Vulnerability details

Impact

ChainLinks VRF manager has priviledged position, as all VRFNFTRandomDraw instances share the same VRFCoordinatorV2 address, and have to be whitelisted in order to be able to send requestRandomWords function. There is centralization risk in this case, that malicious manager can decide not to whitelist specific raffles, or call VRFCoordinatorV2::cancelSubscription to brick all raffles.

Proof of Concept

1. Users create raffles, many of them are ongoing
2. Malicious VRFCoordinatorV2 manager calls VRFCoordinatorV2::cancelSubscription() function
3. All raffles sharing the same subscriptionID won't be able to request random number

1. A raffle starts, but there is no winner (e.g. token owner is address 0)
2. VRF manager removes the raffle from subscription list
3. Raffle cannot be redrawned

Tools Used

VS Code

Recommended Mitigation Steps

Probably some of the risks

1. Add possibility to update VRFCoordinatorV2 address, however this may create another risk, of updating to a malicious smart contract.
2. Use Chainlink's VRF v1, so that each VRFNFTRandomDraw manages it's own LINK balance.

[c4-judge]

gzeon-c4 marked the issue as duplicate of #194

[c4-judge]

gzeon-c4 marked the issue as unsatisfactory: Invalid

[c4-judge]

gzeon-c4 marked the issue as satisfactory