c4-judge
commented
1 year ago thereksfour changed the severity to QA (Quality Assurance)
Open code423n4 opened 1 year ago
c4-judge
commented
1 year ago thereksfour changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago thereksfour marked the issue as grade-b
rand0c0des
commented
1 year ago Agreed on QA finding
c4-sponsor
commented
1 year ago rand0c0des marked the issue as sponsor confirmed
c4-judge
commented
1 year ago thereksfour marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-03-wenwin/blob/a260ecba74720c631ab06ecdd67167317b976b60/src/RNSourceController.sol#L89-L104
Vulnerability details
Impact
The protocol uses the direct funding method of VRF V2. This method requires that the consuming contracts have sufficient LINK tokens before they request randomness. If there are not enough LINK tokens, the request will be reverted. This creates an attack vector: If the lottery contracts run out of LINK tokens, after maxFailedAttempts, a new untrusted source can be swapped in. This poses a risk of manipulating the random source.
https://github.com/code-423n4/2023-03-wenwin/blob/a260ecba74720c631ab06ecdd67167317b976b60/src/RNSourceController.sol#L89-L104
https://docs.chain.link/vrf/v2/direct-funding
Proof of Concept
Tools Used
Manually Chainlink docs
Recommended Mitigation Steps
Adding mechanism to evaluate the LINK token balance and refill it.
One possible mechanism to evaluate and refill the LINK token balance is to check it after each draw. If it falls below a certain level, the Lottery contract can call UNISWAP to swap some DAI for LINK and record the transaction as an expense that reduces the lottery net profit.