Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Minted NFTs may always stay in pending state due to response failure by arrng contract #1875

Closed
c4-submissions opened this issue Nov 13, 2023 · 3 comments
Closed

Minted NFTs may always stay in pending state due to response failure by arrng contract #1875

c4-submissions opened this issue Nov 13, 2023 · 3 comments
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-1307 unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/NextGenCore.sol#L227
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/RandomizerRNG.sol#L40
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/RandomizerRNG.sol#L48

Vulnerability details

Impact

Hash of minted token will not be set to random value if fulfillRandomWords function of NextGenRandomizerRNG contract is not called by random numbers provider arrng contract due to low amount of eth sent by NextGenRandomizerRNG contract. This means, random numbers will not be receied and hash of minted will stay 0x0000...00 causing it to stay in pending state forever as there is not method in NextGenCore contract to change hash of pending tokens.

Proof of Concept

Request for random numbers to arrng contract is submitted by NextGenRandomizerRNG contract. If all goes well, arrng contract will send the random numbers by calling fulfillRandomWords function of NextGenRandomizerRNG contract. Documentation of arrng contract states

You will need to send enough native token (e.g. ETH) for the response with the random number.

Since, gas of ETH transaction keeps on changing, arrng contract may not be able to send back the random numbers for submitted requests. Thus causing the tokens to stay in pending state forever.

    function requestRandomWords(uint256 tokenid, uint256 _ethRequired) public payable {
        require(msg.sender == gencore);
        uint256 requestId = arrngController.requestRandomWords{value: _ethRequired}(1, (address(this)));
        tokenToRequest[tokenid] = requestId;
        requestToToken[requestId] = tokenid;

    }

    function fulfillRandomWords(uint256 id, uint256[] memory numbers) internal override {
        gencoreContract.setTokenHash(tokenIdToCollection[requestToToken[id]], requestToToken[id], bytes32(abi.encodePacked(numbers,requestToToken[id])));
    }

Tools Used

Manual Review

Recommended Mitigation Steps

Add a method in NextGenCore contract to change hash of pending tokens.

Assessed type

Oracle
@c4-submissions c4-submissions added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Nov 13, 2023
c4-submissions added a commit that referenced this issue Nov 13, 2023
@c4-submissions
cryptothemex issue #1875
87a0a9b
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #1307

@141345
Copy link

141345 commented Nov 27, 2023

related to #1464

@c4-judge
Copy link

c4-judge commented Dec 6, 2023

alex-ppg marked the issue as unsatisfactory:
Invalid

@c4-judge c4-judge added the unsatisfactory does not satisfy C4 submission criteria; not eligible for awards label Dec 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working duplicate-1307 unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@141345 @c4-judge @c4-pre-sort @c4-submissions