Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

getWord in XRandom.sol, produces inconsistent output #1008

Open
c4-submissions opened this issue Nov 11, 2023 · 6 comments
Open

getWord in XRandom.sol, produces inconsistent output #1008

c4-submissions opened this issue Nov 11, 2023 · 6 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-b primary issue Highest quality submission among a set of duplicates Q-18 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/main/smart-contracts/XRandoms.sol#L28-L32

Vulnerability details

Impact

getWord() never returns the last element and returns the element at index 0 with twice the possibility compared to others

Proof of Concept

getWord function is called from inside randomWord

function randomWord() public view returns (string memory) {
        uint256 randomNum = uint(keccak256(abi.encodePacked(block.prevrandao, blockhash(block.number - 1), block.timestamp))) % 100;
        return getWord(randomNum);
    }

the value of randomNum always will remain between 0 <= randomNum < 100

But the getWord is implemented correctly for this value range

if (id==0) {
    return wordsList[id];
} else {
    return wordsList[id - 1];
}

Here is a relationship between randomNum variable and the output of getWord function

randomNum Output Of getWord
0 Acai
1 Acai
... ...
99 Velvet Apple

As it can be seen, wordsList[0] which is "Acai" will be returned twice and wordlist[99] which is "Watermelon" will never be returned.

Tools Used

Manual

Recommended Mitigation Steps

if (id==0) {
    return wordsList[id];
} else {
    return wordsList[id - 1];
}

Should be changed to

return wordList[id]

Assessed type

Other
@c4-submissions c4-submissions added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Nov 11, 2023
c4-submissions added a commit that referenced this issue Nov 11, 2023
@c4-submissions
rishabh issue #1008
4fb4316
@c4-pre-sort
Copy link

141345 marked the issue as duplicate of #508

@c4-judge c4-judge mentioned this issue Dec 4, 2023
Closed
@c4-judge c4-judge reopened this Dec 4, 2023
@c4-judge c4-judge added primary issue Highest quality submission among a set of duplicates selected for report This submission will be included/highlighted in the audit report labels Dec 4, 2023
@c4-judge
Copy link

c4-judge commented Dec 4, 2023

alex-ppg marked the issue as selected for report

@alex-ppg
Copy link

alex-ppg commented Dec 4, 2023

The Warden has illustrated that the getWord function as utilized in the operational portion of the NextGen system is flawed due to incorrect usage of the input argument.

While a correct observation, this would simply double the chance of "Acai" and render the "Watermelon" word inaccessible. Thus, the randomness of the function is affected to a small degree rendering this exhibit to be of QA (low risk).

@c4-judge
Copy link

c4-judge commented Dec 4, 2023

alex-ppg changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Dec 4, 2023
@c4-judge c4-judge mentioned this issue Dec 5, 2023
Closed
This was referenced Dec 5, 2023
Closed
Open
Open
Open
Open
Open
Open
Open
Closed
Open
Open
Open
@c4-judge
Copy link

c4-judge commented Dec 8, 2023

alex-ppg marked the issue as grade-b

@c4-judge c4-judge removed the selected for report This submission will be included/highlighted in the audit report label Dec 9, 2023
@c4-judge
Copy link

c4-judge commented Dec 9, 2023

alex-ppg marked the issue as not selected for report

@SovaSlava SovaSlava mentioned this issue Dec 9, 2023
Closed
@thangtranth thangtranth mentioned this issue Dec 10, 2023
Closed
@C4-Staff C4-Staff added the Q-18 label Dec 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-b primary issue Highest quality submission among a set of duplicates Q-18 QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@alex-ppg @c4-judge @c4-pre-sort @C4-Staff @c4-submissions