The Puppy Raffle NFT team is back! And this time, they've learnt from their mistakes... It couldn't have been their fault their last contract had so many bugs, so puppies and solidity must have just been bad luck! They decided to try this again, with sneks and Vyper! Surely that was the issue last time? π The Puppy Raffle team loves being on the cutting edge, so this codebase is built with a new beta release of the vyper compiler!
High - 100xp
Medium - 20xp
Low - 2xp
Starts: March 07, 2024 Noon UTC
Ends: March 14, 2024 Noon UTC
nSLOC: 136
Complexity Score: π
The Puppy Raffle NFT team is back! And this time, they've learnt from their mistakes... It couldn't have been their fault their last contract had so many bugs, so puppies and solidity must have just been bad luck! They decided to try this again, with sneks and Vyper! Surely that was the issue last time? π
The Puppy Raffle team loves being on the cutting edge, so this codebase is built with a new beta release of the vyper compiler!
Introducing... Imports!! The vyper compiler now features imports, and you can see we use imports from the π snekmate repo. We pip
installed the library by invoking:
pip3 install git+https://github.com/pcaversaccio/snekmate.git@modules -t contracts/libraries
And then we removed all the files except the ones we needed.
We will use π snekmate's latest ERC721.vy
contract, which is compatible with the latest Vyper compiler version, but the contract itself is considered out of scope for this audit.
You can see how we import the ERC721.vy
contract in the snek_raffle.vy
contract:
from libraries.snekmate.tokens import ERC721 # Imports the contract
initializes: ERC721 # This means that our contract initializes with the __init__ func of the ERC721 contract
exports: ( # In vyper, you have specify what external functions you want your contract to use/inherit
ERC721.balanceOf,
ERC721.ownerOf,
.
.
)
.
.
.
ERC721.__init__("Snek Raffle", "SNEK", "", "snek raffle", "v0.0.1") # This is how we initialize the ERC721 contract in our constructor
You cannot inherit/override internal functions. This is a specific design choice by the Vyper team - so that knowing exactly what a function is supposed to do is easier.
The snek_raffle.vy
is the main contract that the team is looking for a security review on, and the only contract considered in-scope. The contract functionality is as such:
enter_raffle
: Users pay the ENTRANCE_FEE
to enter the snek rafflerequest_raffle_winner
: This is the function to kick off a chainlink VRF call to get a random winner. This function can be called only when the following conditions are met:
raffle_state
is set to OPEN
RAFFLE_DURATION
has passed since the raffle was openedplayers
balance
in the contractrawFulfillRandomWords
: The function that the Chainlink VRF calls back to give the contest a random winner. The following happens when this function is called:
OPEN
players
array is resetlast_timestamp
is resetWhen someone wins a snek, it should have all the functionality of a normal NFT. It should be able to be viewed, transferred, approved, etc.
Note: If you find an issue with ERC721.vy
, ignore it. If the snek_raffle.vy
forgets to import/export a function, or uses it wrong, consider that a bug. But if the function itself is wrong in ERC721.vy
, that's fine. We are pretending that contract is perfect for this review.
The contracts rely on the Chainlink VRF to get a random number. Assume the contract/subscription will always be properly funded with LINK tokens.
There are 3 NFTs that can be won in the snek raffle, each with varying rarity.
The Chainlink VRF is used to get a random number, and the random number is used to determine the winner.
git --version
and you see a response like git version x.x.x
python3 --version
and you see a response like Python x.x.x
pip3 --version
and you see a response like pip x.x.x from /path/to/site-packages/pip (python x.x)
If this is your first time using a python virtual environment, you can learn more about it here, and we highly advise that you work with an AI to help you get set up. AIs like ChatGPT tend to be very good at python debugging.
git clone https://github.com/Cyfrin/2024-03-snek-raffle
cd 2024-03-snek-raffle
make venv
source ./venv/bin/activate
make install
Be sure to run source ./venv/bin/activate
before you install!
or, if make
doesn't work:
python3 -m venv ./venv
source ./venv/bin/activate
pip3 install vyper==0.4.0b1
pip3 install git+https://github.com/vyperlang/titanoboa@vyper-0.4.0
Q: Why not a
requirements.txt
file? A: Because this is an experimental package and the dependencies are all messed up right now.
You'll be in something called a "virtual environment" which will have all the packages you need for this project to run tests. To "leave" the python virtual environment, just run deactivate
.
The above will install the new experimental vyper compiler and titanoboa testing framework, so it might take a little longer to install than normal.
You can manually compile the vyper contract with this command:
vyper contracts/snek_raffle.vy
or
python3 -m vyper contracts/snek_raffle.vy
pytest
or
python3 -m pytest
βββ contracts
βββ snek_raffle.vy
0.4.0b1
(Experimental new Vyper compiler version)Rank | Username | ||||
1 | E EloiManuel | 840 | 4 (0) | 1 (0) | 0 |
2 | g | 771 | 3 (0) | 2 (0) | 2 |
3 | t | 656 | 2 (0) | 2 (0) | 0 |
4 | B | 328 | 1 (0) | 1 (0) | 2 |
5 | e emacab98 | 296 | 1 (0) | 2 (0) | 0 |
6 | s | 288 | 1 (0) | 2 (0) | 2 |
7 | n | 288 | 1 (0) | 2 (0) | 2 |
8 | 4 | 280 | 1 (0) | 2 (0) | 0 |
9 | s | 244 | 1 (0) | 1 (0) | 1 |
10 | 0 | 240 | 1 (0) | 1 (0) | 0 |
11 | L | 240 | 1 (0) | 1 (0) | 0 |
12 | n | 240 | 1 (0) | 1 (0) | 0 |
13 | h | 84 | 0 (0) | 2 (0) | 1 |
14 | 0 | 80 | 0 (0) | 2 (0) | 0 |
15 | C Coffee | 40 | 0 (0) | 1 (0) | 0 |
16 | C CarlosAlbaWork | 40 | 0 (0) | 1 (0) | 0 |
17 | A Awacs | 40 | 0 (0) | 1 (0) | 0 |
18 | p | 40 | 0 (0) | 1 (0) | 0 |
19 | V VicRdev | 40 | 0 (0) | 1 (0) | 0 |
Rank | Username | |||||
Loading... |