Open minhquanym opened 2 weeks ago
same as https://github.com/CDSecurity/Blessed-Immeas/issues/3 I had a long debate with myself if the impact is high or medium here. Both are fine with me. Medium because no funds are at risk. High because it breaks the main thing this contract is for, being a lottery.
[H-01] Buyers could call
requestRandomness()
instead ofroll()
to avoid payingrollPrice
Severity
Impact: Medium
Likelihood: High
Description
In the
LotteryV2Base
contract, buyers can roll a dice to generate a random number. Those who roll numbers close to the seller's number become eligible for minting.Each roll costs a
rollPrice
. However, the contract also includes a public function,requestRandomness()
, that anyone can use to generate a new random number. This allows users to sidestep therollPrice
.Recommendations
Consider limiting the ability to call the
requestRandomness()
function to the seller only.