c4-judge
commented
1 year ago thereksfour changed the severity to QA (Quality Assurance)
Open code423n4 opened 1 year ago
c4-judge
commented
1 year ago thereksfour changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago thereksfour marked the issue as grade-b
c4-sponsor
commented
1 year ago TutaRicky marked the issue as sponsor disputed
thereksfour
commented
1 year ago QA
Lines of code
https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/ReferralSystem.sol#L99-L100 https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/ReferralSystem.sol#L105
Vulnerability details
Impact
If there is a sufficiently small referrer reward and correspondingly large amount of eligible referred tickets sold for a given draw, there is potential for the reward for one ticket to = 0, leading to loss of rewards.
Proof of Concept
Example context for player rewards (same situation applies for referrer rewards):
playerRewardForDraw = 99ticketsSoldDuringDraw = 100ReferralSystem.referralDrawFinalize()is called when finalizing a lottery draw, and in this case, the user should receive the full 99 fromplayerRewardForDraw.However, since in
referralDrawFinalize()playerRewardsPerDrawForOneTicket[drawFinalized] = playerRewardForDraw / ticketsSoldDuringDrawrounds down to 0, and later inclaimPerDraw()claimedReward += playerRewardsPerDrawForOneTicket[drawId] * _unclaimedTickets.playerTicketCount;, although the user should receive the full allocated amount of the reward (99), they receive 0.Tools Used
Manual review
Recommended Mitigation Steps
Some suggestions:
# tickets sold > rewardreferralDrawFinalize(), store the draw's reward components (ie:totalReward&totalTicketCount) as a struct and perform the division after the multiplication inclaimPerDrawin order to minimize the precision loss. (ie: this would becomeuserReward = userTicketCount * totalReward / totalTicketCount)