Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unhandled Arrng service failure #1361

Closed
c4-submissions opened this issue Nov 12, 2023 · 3 comments
Closed

Unhandled Arrng service failure #1361

c4-submissions opened this issue Nov 12, 2023 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-1464 unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/RandomizerRNG.sol#L42

Vulnerability details

Impact

The NextGenRandomizerRNG contract utilizes the Arrng service to generate a token hash. The calculateTokenHash function triggers requestRandomWords, which, in turn, requests a random word (a single uint256 value) from the Arrng service. The Arrng service is expected to trigger receiveRandomness, using fulfillRandomWords to set the hash. The issue arises from the fact that the arrng service might fail, and in such cases, it refunds the received payment.

This can be observed in ArrngController:
https://github.com/arrng/arrng-contracts/blob/117d2eadc55eaabb5bea58396dbc8f421d735fd5/contracts/controller/ArrngController.sol#L500-L506

Refunding NextGenRandomizerRNG:
https://github.com/arrng/arrng-contracts/blob/117d2eadc55eaabb5bea58396dbc8f421d735fd5/contracts/controller/ArrngController.sol#L582-L591

The failures happen and can be observed on https://www.arrscan.io - filter status for "fail" or "error".

Once the Arrng service fails to provide the correct value the token hash is unset and has default value of 0.

Proof of Concept

  1. A user mints a new token.
  2. The NextGenRandomizerRNG randomizer is used to provide a random hash value.
  3. The Arrng service fails to provide the random value and refunds the cost.
  4. The minted token is left with an unset token hash, equal to the value 0.

Tools Used

Manual Review

Recommended Mitigation Steps

It is recommended to add administrative functionality that will allow to trigger setting a token hash value through the Arrng service in case it failed.

Assessed type

Error
@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 12, 2023
c4-submissions added a commit that referenced this issue Nov 12, 2023
@c4-submissions
r0ck3tz issue #1361
6bec8f6
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #1464

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Dec 6, 2023
@c4-judge
Copy link

c4-judge commented Dec 6, 2023

alex-ppg marked the issue as unsatisfactory:
Invalid

1 similar comment
@c4-judge
Copy link

c4-judge commented Dec 9, 2023

alex-ppg marked the issue as unsatisfactory:
Invalid

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working duplicate-1464 unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@c4-judge @c4-pre-sort @c4-submissions