Since the writeEntropyBatch1,2,3 functions generate random number arrays based on the current block hash, and the subsequent values are taken sequentially from the array, the currentNumberIndex is also accessible during NFT minting (cycling from 0 to 12). Users can manipulate these two values to bypass randomness, allowing them to mint high-quality NFTs and claim rewards.
Lines of code
https://github.com/TraitForge/traitforge-contracts/blob/main/contracts/EntropyGenerator/EntropyGenerator.sol#L47
Vulnerability details
Impact
Since the
writeEntropyBatch1,2,3
functions generate random number arrays based on the current block hash, and the subsequent values are taken sequentially from the array, thecurrentNumberIndex
is also accessible during NFT minting (cycling from 0 to 12). Users can manipulate these two values to bypass randomness, allowing them to mint high-quality NFTs and claim rewards.Proof of Concept
https://github.com/TraitForge/traitforge-contracts/blob/main/contracts/TraitForgeNft/TraitForgeNft.sol#L280
Tools Used
Recommended Mitigation Steps
It is recommended that users pay a fee to obtain random numbers from the Chainlink oracle to prevent manipulation in NFT minting.
Assessed type
Other