search

code-423n4 / 2023-03-wenwin-findings

1 stars 1 forks source link

Users need to completely trust the owner #171

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-wenwin/blob/main/src/RNSourceController.sol#L89-L104

Vulnerability details

Impact

In the Wenwin website is mentioned:

The Wenwin Lottery is a fun, fully decentralized Web3 lottery with no third-party getting in the way of you winning. This problem is certainly not aligned with this statement.

Proof of Concept

This attack is mainly possible because the owner has partial control over the oracle and also has complete control in changing the oracle after a certain number of fail attempts to call it. Imagine this scenario:

  1. Owner launches a lottery
  2. Owner pays the oracle to answer the lottery contract requests
  3. Lottery grows in popularity and people start buying tickets for future lotteries
  4. Owner stops paying the oracle
  5. Oracle stops answering the calls from the contract
  6. Owner calls the executeDraw more than maxFailedAttempts times
  7. Owner changes the oracle to a malicious one
  8. Owner calls executeDraw as many times as he wants so the malicious oracle will answer the lottery contract requests
  9. Owner wins all the future lotteries
  10. Owner steals all the money from the lottery contract

Tools Used

Manual Review

Recommended Mitigation Steps

Two ways to mitigate this problem can be as follows.

  1. If swapSource is called, all the nonFinalized lotteries will be automatically refunded to the users. Basically each lottery is linked to the oracle that was set for the contract, if that oracle is gone, the lottery is gone.
  2. If swapSource is called, no one should be able to call executeDraw for a certain amount of time. And there should be a refund functionality for users. This will give users enough time to get a refund if they don't want to trust the new oracle.
c4-judge commented 1 year ago

thereksfour marked the issue as unsatisfactory: Invalid