c4-judge
commented
1 year ago thereksfour marked the issue as duplicate of #483
Open code423n4 opened 1 year ago
c4-judge
commented
1 year ago thereksfour marked the issue as duplicate of #483
c4-judge
commented
1 year ago thereksfour changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago thereksfour marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-03-wenwin/blob/a260ecba74720c631ab06ecdd67167317b976b60/src/Lottery.sol#L110-L115
Vulnerability details
Impact
The
frontendandreferrerarguments are used to reward the front-end operators and referrers who sell and promote tickets. However, buyers can set both arguments to their own address (msg.sender) and claim the rewards. The code does not prevent this by checking if the buyer is different from the frontend and referrer.https://github.com/code-423n4/2023-03-wenwin/blob/a260ecba74720c631ab06ecdd67167317b976b60/src/Lottery.sol#L110-L115
The rewards are wrongly distributed to the buyers instead of the frontend and referrer. This creates a serious vulnerability that can be exploited by a malicious front-end (front-end which promote malware or display unwanted ads) that allows users to set both arguments to their own address. This would destroy the competition and viability of all other frontends and referrers. This goes against the original intention and design of Wenwin.
Proof of Concept
Tools Used
Manual
Recommended Mitigation Steps
To prevent buyers from claiming the rewards for themselves, add this line of code to check that the frontend and referrer are not the same as the buyer:
Usually, a referral program offers some benefits or discounts to users who join it through a specific frontend or referrer. This creates an economic incentive for users to choose the best offer available (from a frontend or referral program). However, the current design does not have such an incentive mechanism. Instead, it encourages buyers to set both frontend and referrer to their own address and get all the rewards.