Closed c4-submissions closed 11 months ago
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/NextGenCore.sol#L227-L232 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/RandomizerNXT.sol#L55-L59 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/XRandoms.sol#L40-L43
When a token is minted, NextGenCore#_mintProcessing calls RandomizerNXT#calculateTokenHash, which in turn calls XRandoms#randomWord.
NextGenCore#_mintProcessing
RandomizerNXT#calculateTokenHash
XRandoms#randomWord
RandomizerNXT#randomWord calculates a value in range [0,99] and passes it into getWord:
RandomizerNXT#randomWord
getWord
function getWord(uint256 id) private pure returns (string memory) { // array storing the words list string[100] memory wordsList = ["Acai", "Ackee", "Apple", "Apricot", "Avocado", "Babaco", "Banana", "Bilberry", "Blackberry", "Blackcurrant", "Blood Orange", "Blueberry", "Boysenberry", "Breadfruit", "Brush Cherry", "Canary Melon", "Cantaloupe", "Carambola", "Casaba Melon", "Cherimoya", "Cherry", "Clementine", "Cloudberry", "Coconut", "Cranberry", "Crenshaw Melon", "Cucumber", "Currant", "Curry Berry", "Custard Apple", "Damson Plum", "Date", "Dragonfruit", "Durian", "Eggplant", "Elderberry", "Feijoa", "Finger Lime", "Fig", "Gooseberry", "Grapes", "Grapefruit", "Guava", "Honeydew Melon", "Huckleberry", "Italian Prune Plum", "Jackfruit", "Java Plum", "Jujube", "Kaffir Lime", "Kiwi", "Kumquat", "Lemon", "Lime", "Loganberry", "Longan", "Loquat", "Lychee", "Mammee", "Mandarin", "Mango", "Mangosteen", "Mulberry", "Nance", "Nectarine", "Noni", "Olive", "Orange", "Papaya", "Passion fruit", "Pawpaw", "Peach", "Pear", "Persimmon", "Pineapple", "Plantain", "Plum", "Pomegranate", "Pomelo", "Prickly Pear", "Pulasan", "Quine", "Rambutan", "Raspberries", "Rhubarb", "Rose Apple", "Sapodilla", "Satsuma", "Soursop", "Star Apple", "Star Fruit", "Strawberry", "Sugar Apple", "Tamarillo", "Tamarind", "Tangelo", "Tangerine", "Ugli", "Velvet Apple", "Watermelon"]; // returns a word based on index if (id==0) { return wordsList[id]; } else { return wordsList[id - 1]; } }
If getWord receives 0 or 1 as a parameter, it returns "Acai"; if getWord receives 99 as a parameter, it returns "Velvet Apple".
Because of the error, "Acai" is twice as likely to be returned, and "Watermelon" will never be returned.
Manual Review
- if (id==0) { - return wordsList[id]; - } else { - return wordsList[id - 1]; - } + return wordsList[id];
Error
141345 marked the issue as duplicate of #508
alex-ppg changed the severity to QA (Quality Assurance)
alex-ppg marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/NextGenCore.sol#L227-L232 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/RandomizerNXT.sol#L55-L59 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/XRandoms.sol#L40-L43
Vulnerability details
Impact
When a token is minted,
NextGenCore#_mintProcessing
callsRandomizerNXT#calculateTokenHash
, which in turn callsXRandoms#randomWord
.RandomizerNXT#randomWord
calculates a value in range [0,99] and passes it intogetWord
:If getWord receives 0 or 1 as a parameter, it returns "Acai"; if getWord receives 99 as a parameter, it returns "Velvet Apple".
Because of the error, "Acai" is twice as likely to be returned, and "Watermelon" will never be returned.
Tools Used
Manual Review
Recommended Mitigation Steps
Assessed type
Error