function BuyNFT()external {

uint256 balance = token.balanceOf(_msgSender());

nftPrice = NFT.getPrice();

require(balance >= nftPrice , "Not enought token");

_buyBox(msgSender());

}

function _buyBox(address receiver) internal{

uint256 scarce = random();

token.transferFrom(_msgSender(), feeAdress, nftPrice .mul(10 ** _decimals));

NFT.receive(receiver, scarce);
}


I have a token transfer function that will get 1 NFT back, 1 NFT will have random rarity, but hackers can write another contract to call the function in my contract, they only receive NFTs with high rarity. , if NFT has low rarity, they will revert that transaction

If the scarcity is low, they will revert the transaction from the contract they programmed to attack

I don't know how to fix it

if uint256 scarce low radity

hacker will revert transaction and he don't lose money on
code: token.transferFrom(_msgSender(), feeAdress, nftPrice .mul(10 ** _decimals));