RandomizerVRF.sol
: malicious function admin can set invalid keyhash to DoS randomness generation
#1704
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
edited-by-warden
sponsor disputed
Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
sufficient quality report
This report is of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Lines of code
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/RandomizerVRF.sol#L79-L82
https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/smart-contracts/RandomizerVRF.sol#L52-L63
Vulnerability details
Impact
Malicious function admin can set an invalid keyhash so that randomness generation will be DoSed. The idea is similar to this finding: code-423n4/2022-12-forgeries-findings#101
Proof of Concept
Malicious function admin can call
updatecallbackGasLimitAndkeyHash()
to set an invalid keyhash:This keyhash will be used to send randomness generation requests to Chainlink VRF:
Since there is no check on validity of keyhash, calls to
requestRandomWords()
will always revert ifkeyHash
is invalid, hence randomness generation will be DoSed.Tools Used
Manual review
Recommended Mitigation Steps
Validate keyhash inside
updatecallbackGasLimitAndkeyHash()
. Compare the new keyhash with a whitelisted possible keyhashes.Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: