NFTs can have empty hashes, hence the NFT's image is the same #1801
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-1464
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
c4-submissions
added
2 (Med Risk)
c4-submissions
added a commit
that referenced
this issue
Nov 13, 2023
|
141345 marked the issue as duplicate of #1464 |
c4-judge
added
the
unsatisfactory
|
alex-ppg marked the issue as unsatisfactory: |
1 similar comment
|
alex-ppg marked the issue as unsatisfactory: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/arrng/arrng-contracts/blob/117d2eadc55eaabb5bea58396dbc8f421d735fd5/contracts/controller/ArrngController.sol#L582-L591
Vulnerability details
Impact
The Arrng protocol cannot guarantee the success or failure of your request. The logic for handling failed requests can be found here. As there are no Arrng documentation available, it's unclear how this scenario will unfold. Since Arrng's random requests may fail, the RandomizerRNG::fulfillRandomWords() function will never be executed by the Arrng protocol, resulting in the tokenId of the failed request lacking a hash. Since the hash influences the visual representation of the artwork, identical hashes would produce identical images. Naturally, we want to avoid having two NFTs with the same image.
Tools Used
Manual Review
Recommended Mitigation Steps
Arrng protocol is not reliable, so don't use it
Assessed type
Other
The text was updated successfully, but these errors were encountered: