From ab9297e0aa27f71eb8e956991a250e5be749377f Mon Sep 17 00:00:00 2001
From: C4 <81770958+code423n4@users.noreply.github.com>
Date: Thu, 15 Dec 2022 17:48:23 +0100
Subject: [PATCH] HE1M data for issue #153

---
 data/HE1M-Q.md | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 data/HE1M-Q.md

diff --git a/data/HE1M-Q.md b/data/HE1M-Q.md
new file mode 100644
index 0000000..08dff31
--- /dev/null
+++ b/data/HE1M-Q.md
@@ -0,0 +1,6 @@
+## No. 1
+During initializing a draw, the protocol does not check that the token id of NFT collection (drawing token) exists or not. For example, the owner uses crypto punk as drawing token and sets `drawingTokenStartId = 0` and `drawingTokenEndId = 10100`, while the total supply of crypto punk is **10000**. So, if, after the draw, the chosen token id is equal to 10050, no one can win the NFT, because such token id does not exists in crypto punk collection. So, it is better to have the following check in the function `initialize` to prevent such mistakes:
+```
+require(_settings.drawingTokenEndId <  IERC721EnumerableUpgradeable(settings.drawingToken).totalSupply());
+``` 
+https://github.com/code-423n4/2022-12-forgeries/blob/fc271cf20c05ce857d967728edfb368c58881d85/src/VRFNFTRandomDraw.sol#L75
\ No newline at end of file