search

code-423n4 / 2023-03-wenwin-findings

1 stars 1 forks source link

returnUnclaimedJackpotToThePot() return to pot only Jackpot, but in docs: return Winning tickets(not only jackpot) #138

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/wenwincom/wenwin-contracts/blob/1fe7ffb8ada5f2c0dea1d6089470b342286aa3fd/src/Lottery.sol#L274

Vulnerability details

Impact

function returnUnclaimedJackpotToThePot() return to pot only Jackpot after 1 year, but in documentation: https://docs.wenwin.com/wenwin-lottery/the-game

Winning tickets have up to 1 year to claim their prize. If a prize is not claimed before this period, the unclaimed prize money will go back to the Prize Pot.

All Winning tickets, not only jackpot.

Developer in discord said that it didnt done and its very diffucult. But I know, how to fix it(partly). if user with win ticket(not jackpot) call claimWinningTickets(), and contract check time in claimable() function, we can add block 'else' in 'claimable' function and inside this block move tokens to pot.

Proof of Concept

quote from code

             function claimable(uint256 ticketId) external view override returns (uint256 claimableAmount, uint8 winTier) {
        TicketInfo memory ticketInfo = ticketsInfo[ticketId];
        if (!ticketInfo.claimed) {
            uint120 _winningTicket = winningTicket[ticketInfo.drawId];
            winTier = TicketUtils.ticketWinTier(ticketInfo.combination, _winningTicket, selectionSize, selectionMax);
            if (block.timestamp <= ticketRegistrationDeadline(ticketInfo.drawId + LotteryMath.DRAWS_PER_YEAR)) {
                claimableAmount = winAmount[ticketInfo.drawId][winTier];
            }
            else {
                // new block
                currentNetProfit += winAmount[ticketInfo.drawId][winTier];
                unclaimedCount[ticketsInfo[ticketId].drawId][ticketsInfo[ticketId].combination]--;
                markAsClaimed(ticketId);
             // but this function will not be view.. of course, dev can do it with different code. I say only my idea.
             }
        }
    }

Tools Used

VS code

Recommended Mitigation Steps

return amount to pot from all winning tickets

c4-judge commented 1 year ago

thereksfour marked the issue as duplicate of #303

c4-judge commented 1 year ago

thereksfour changed the severity to QA (Quality Assurance)