search

code-423n4 / 2023-03-wenwin-findings

1 stars 1 forks source link

Users can earn free money by buying tickets and selling tickets while earning the LOT token staking rewards #195

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/Lottery.sol#L110-L131

Vulnerability details

Impact

Users can earn free money by buying tickets and selling tickets while earning the LOT token staking rewards

Proof of Concept

Since all tickets are just NFT and free to transfer, and LOT token staking reward is directly related to the amount of ticket amount, a user can deposit lots of LOT to the staking contract, and then buy and sell lots of ticket NFTs. In this way he/she can earn free staking rewards.

Tools Used

Manual Review

Recommended Mitigation Steps

Consider forbidding the transfer of ticket NFTs. Anyone want tickets can only mint by themselves.

c4-judge commented 1 year ago

thereksfour marked the issue as duplicate of #126

c4-judge commented 1 year ago

thereksfour changed the severity to QA (Quality Assurance)