Canto Identity Subprotocols contest - Chom's results

Lines of code

https://github.com/code-423n4/2023-03-canto-identity/blob/077372297fc419ea7688ab62cc3fd4e8f4e24e66/canto-namespace-protocol/src/Tray.sol#L163 https://github.com/code-423n4/2023-03-canto-identity/blob/077372297fc419ea7688ab62cc3fd4e8f4e24e66/canto-namespace-protocol/src/Tray.sol#L247 https://github.com/code-423n4/2023-03-canto-identity/blob/077372297fc419ea7688ab62cc3fd4e8f4e24e66/canto-namespace-protocol/src/Utils.sol#L256-L261

Vulnerability details

Impact

• One can predict which emoji and text they want
• One can deterministically mint a tray with tiles that contains emoji and text they want

Rather than a random one as designed

Proof of Concept

    function buy(uint256 _amount) external {
        uint256 startingTrayId = _nextTokenId();
        if (prelaunchMinted == type(uint256).max) {
            // Still in prelaunch phase
            if (msg.sender != owner) revert OnlyOwnerCanMintPreLaunch();
            if (startingTrayId + _amount - 1 > PRE_LAUNCH_MINT_CAP) revert MintExceedsPreLaunchAmount();
        } else {
            SafeTransferLib.safeTransferFrom(note, msg.sender, revenueAddress, _amount * trayPrice);
        }
        for (uint256 i; i < _amount; ++i) {
            TileData[TILES_PER_TRAY] memory trayTiledata;
            for (uint256 j; j < TILES_PER_TRAY; ++j) {
                lastHash = keccak256(abi.encode(lastHash));
                trayTiledata[j] = _drawing(uint256(lastHash));
            }
            tiles[startingTrayId + i] = trayTiledata;
        }
        _mint(msg.sender, _amount); // We do not use _safeMint on purpose here to disallow callbacks and save gas
    }

...

    function _drawing(uint256 _seed) private pure returns (TileData memory tileData) {
        uint256 res = _seed % SUM_ODDS;
        uint256 charRandValue = Utils.iteratePRNG(_seed); // Iterate PRNG to not have any biasedness / correlation between random numbers

Function buy call _drawing, which request for a random number using Utils.iteratePRNG(_seed)

_seed may be predictable since it is lastHash. If there aren't much volume minting Tray, one can simulate lastHash accurately

    function iteratePRNG(uint256 _currState) internal pure returns (uint256 iteratedState) {
        unchecked {
            iteratedState = _currState * 15485863;
            iteratedState = (iteratedState * iteratedState * iteratedState) % 2038074743;
        }
    }

iteratePRNG does a very simple arithmetic operation. Obviously easy to predict.

One can also develop a smart contract to mint and revert if tiles he get doesn't contains what he want.

Tools Used

Manual review

Recommended Mitigation Steps

• Only allow EOA to mint
• Use more complex random number generators that utilize block number, block hash, timestamp, and more hard-to-predict values.