Platform: Code4rena
Start Date: 13/12/2022
Pot Size: $36,500 USDC
Total HM: 5
Participants: 77
Period: 3 days
Judge: gzeon
Total Solo HM: 1
Id: 191
League: ETH
Rank: 39/77
Findings: 1
Award: $45.71
🌟 Selected for report: 0
🚀 Solo Findings: 0
45.7078 USDC - $45.71
In VRFNFTRandomDraw, only the owner is allowed to call startDraw for the draw, which means that if the owner does not call the startDraw function, the draw will be invalid. A malicious owner can perform a draw fraud.
function startDraw() external onlyOwner returns (uint256) {
Consider the following scenario User A creates a VRFNFTRandomDraw contract and declares that a draw will be made among the holders of "ANFT" and the winner will receive a BAYC. As a result, the price of "ANFT" rises due to speculation and User A takes the opportunity to sell his "ANFT". However, since the startDraw of the VRFNFTRandomDraw contract can only be called by User A, User A can choose not to call it and thus perform the draw fraud
None
Consider sending the NFT to the contract when creating the contract, and set a deadline to allow the DrawingNFT holder to call startDraw after expiration
#0 - c4-judge
2022-12-17T16:36:53Z
gzeon-c4 marked the issue as duplicate of #195
#1 - gzeoneth
2022-12-17T16:38:18Z
I know #195 is regarding the redraw, but its the same idea if the owner should have ability to control startdraw and redraw, or he should commit when creating the raffle.
#2 - c4-judge
2023-01-23T16:56:42Z
gzeon-c4 changed the severity to QA (Quality Assurance)
#3 - c4-judge
2023-01-23T16:58:58Z
gzeon-c4 marked the issue as grade-b