After 3 failures the owner can set the source directly, if it is a malicious source can execute rug
Proof of Concept
In order to prevent Chainlink VRF can no longer obtain random numbers for some reason, the protocol provides a retry mechanism. For example, you can set the number of retries: 3, each interval: 1 hour, after 3 times the owner can switch source by swapSource(), using the new source to provide random numbers.
There are several possible reasons for the failure of obtaining random numbers (not limited to the following 2 cases).
Chainlink's own reasons
VRFv2RNSource Link Token balance is insufficient (owner malicious transfer less or not, the user may not find and transfer link token in time)
etc.
If this happens, about 3 hours, the owner can modify the source, and the new modified source immediately take effect
If the owner sets a malicious source, it is very easy to rug all of Lottery's funds.(free to specify jackpot number).
So some kind of mechanism needs to be established to restrict direct modification of source
Such as the following mechanism:
The owner can propose a new source, but it will take one week to take effect.
Lottery NFT owners (representing users who have bought tickets) can vote during the week, and if the percentage of votes exceeds 10% of totalSupply, the owner's proposal can be rejected.
After one week, if no one votes or less than 10%, the new source will be effective.
This is not 100% ensure safety, but it can reduce the possibility of malicious rug.
Tools Used
Recommended Mitigation Steps
The owner can propose a new source, but it will take one week to take effect.
Lottery NFT owners (representing users who have bought tickets) can vote during the week, and if the percentage of votes exceeds 10% of totalSupply, the owner's proposal can be rejected.
After one week, if no one votes or less than 10%, the new source will be effective.
Lines of code
https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/RNSourceController.sol#L60
Vulnerability details
Impact
After 3 failures the owner can set the
source
directly, if it is a malicioussource
can execute rugProof of Concept
In order to prevent Chainlink VRF can no longer obtain random numbers for some reason, the protocol provides a retry mechanism. For example, you can set the number of retries: 3, each interval: 1 hour, after 3 times the owner can switch
source
by swapSource(), using the new source to provide random numbers.There are several possible reasons for the failure of obtaining random numbers (not limited to the following 2 cases).
If this happens, about 3 hours, the owner can modify the
source
, and the new modifiedsource
immediately take effectIf the owner sets a malicious source, it is very easy to rug all of Lottery's funds.(free to specify jackpot number).
So some kind of mechanism needs to be established to restrict direct modification of source Such as the following mechanism:
This is not 100% ensure safety, but it can reduce the possibility of malicious rug.
Tools Used
Recommended Mitigation Steps