Lack of validation for frontend and referrer in Lottery.sol

[code423n4]

Lines of code

https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/Lottery.sol#L110-L131

Vulnerability details

Impact

When buying tickets using buyTickets(uint128[] calldata drawIds, uint120[] calldata tickets, address frontend, address referrer) in Lottery.sol, the contract doesn't have any mechanism to check the validity of frontend and referrer. So anyone can pass any address as frontend and referrer to the function and take the rewards belong to the real frontend and referrer.

Proof of Concept

function buyTickets(
    uint128[] calldata drawIds,
    uint120[] calldata tickets,
    address frontend,
    address referrer
)
    external
    override
    requireJackpotInitialized
    returns (uint256[] memory ticketIds)
{
    if (drawIds.length != tickets.length) {
        revert DrawsAndTicketsLenMismatch(drawIds.length, tickets.length);
    }
    ticketIds = new uint256[](tickets.length);
    for (uint256 i = 0; i < drawIds.length; ++i) {
        ticketIds[i] = registerTicket(drawIds[i], tickets[i], frontend, referrer);
    }
    referralRegisterTickets(currentDraw, referrer, msg.sender, tickets.length);
    frontendDueTicketSales[frontend] += tickets.length;
    rewardToken.safeTransferFrom(msg.sender, address(this), ticketPrice * tickets.length);
}

When calling buyTickets() function, users can input any address as frontend and referrer, and there is no validation on those address. So these address will also share the rewards while they shouldn't.

Tools Used

Manual Review

Recommended Mitigation Steps

Consider manually add a whitelist and add real frontend operators and referrers to the whitelist to prevent any address to take the reward.

[c4-judge]

thereksfour marked the issue as duplicate of #483

[c4-judge]

thereksfour changed the severity to QA (Quality Assurance)