search

CDSecurity / Blessed-minhquanym

0 stars 0 forks source link

[H-01] Buyers could call `requestRandomness()` instead of `roll()` to avoid paying `rollPrice` #1

Open minhquanym opened 2 weeks ago

minhquanym commented 2 weeks ago

[H-01] Buyers could call requestRandomness() instead of roll() to avoid paying rollPrice

Severity

Impact: Medium

Likelihood: High

Description

In the LotteryV2Base contract, buyers can roll a dice to generate a random number. Those who roll numbers close to the seller's number become eligible for minting.

Each roll costs a rollPrice. However, the contract also includes a public function, requestRandomness(), that anyone can use to generate a new random number. This allows users to sidestep the rollPrice.

// @audit can be used instead of roll() to avoid rollPrice
function requestRandomness() external {
    _requestRandomness(abi.encode(_msgSender()));
    emit RandomRequested(_msgSender());
}

function roll() public lotteryStarted {
    require(rollPrice > 0, "No roll price set");
    require(deposits[_msgSender()] >= rollPrice + minimumDepositAmount, "Insufficient funds");

    deposits[_msgSender()] -= rollPrice;
    deposits[seller] += rollPrice;

    _requestRandomness(abi.encode(_msgSender()));
}

Recommendations

Consider limiting the ability to call the requestRandomness() function to the seller only.

0ximmeas commented 1 week ago

same as https://github.com/CDSecurity/Blessed-Immeas/issues/3 I had a long debate with myself if the impact is high or medium here. Both are fine with me. Medium because no funds are at risk. High because it breaks the main thing this contract is for, being a lottery.