When buying tickets using buyTickets(uint128[] calldata drawIds, uint120[] calldata tickets, address frontend, address referrer) in Lottery.sol, the contract doesn't have any mechanism to check the validity of frontend and referrer. So anyone can pass any address as frontend and referrer to the function and take the rewards belong to the real frontend and referrer.
When calling buyTickets() function, users can input any address as frontend and referrer, and there is no validation on those address. So these address will also share the rewards while they shouldn't.
Tools Used
Manual Review
Recommended Mitigation Steps
Consider manually add a whitelist and add real frontend operators and referrers to the whitelist to prevent any address to take the reward.
Lines of code
https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/Lottery.sol#L110-L131
Vulnerability details
Impact
When buying tickets using buyTickets(uint128[] calldata drawIds, uint120[] calldata tickets, address frontend, address referrer) in Lottery.sol, the contract doesn't have any mechanism to check the validity of frontend and referrer. So anyone can pass any address as frontend and referrer to the function and take the rewards belong to the real frontend and referrer.
Proof of Concept
When calling buyTickets() function, users can input any address as frontend and referrer, and there is no validation on those address. So these address will also share the rewards while they shouldn't.
Tools Used
Manual Review
Recommended Mitigation Steps
Consider manually add a whitelist and add real frontend operators and referrers to the whitelist to prevent any address to take the reward.