search

code-423n4 / 2023-03-wenwin-findings

1 stars 1 forks source link

User can put own address as frontend's address in buyTickets() and get frontend reward #135

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/wenwincom/wenwin-contracts/blob/main/src/Lottery.sol#L113

Vulnerability details

Impact

Contract miss check for msg.sender != frontend, so user can buy ticket and pass own address in frontend parameter. And get reward as frontend.

Proof of Concept

        vm.startPrank(USER);
        rewardToken.mint(5 ether);
        rewardToken.approve(address(lottery), 10 ether);
        lottery.buyTickets(drawIds, tickets, USER, address(0));
        console.log("before balance - ", rewardToken.balanceOf(USER));
        lottery.claimRewards(LotteryRewardType.FRONTEND);
        console.log("after balance - ", rewardToken.balanceOf(USER));

Tools Used

ide

Recommended Mitigation Steps

I think owner should has function for add/delete frontends manually. OR require(msg.sender != frontend) in buyTickets function

c4-judge commented 1 year ago

thereksfour marked the issue as duplicate of #483

c4-judge commented 1 year ago

thereksfour changed the severity to QA (Quality Assurance)