Closed code423n4 closed 1 year ago
The check already exists
function claimWinningTicket(uint256 ticketId) private onlyTicketOwner(ticketId) returns (uint256 claimedAmount) {
...
modifier onlyTicketOwner(uint256 ticketId) {
if (ownerOf(ticketId) != msg.sender) {
revert UnauthorizedClaim(ticketId, msg.sender);
}
_;
}
thereksfour marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/interfaces/ILottery.sol#L154-L159 https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L170-L176
Vulnerability details
Impact
Even if users win the Lottery, the attacker can steal the winnings by front-running attack.
Proof of Concept
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/interfaces/ILottery.sol#L154-L159
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L170-L176
The
claimWinningTickets()
transfer all winnings tomsg.sender
for the tickets.In this function, there is no checking the buyer of tickets are equal to the
msg.sender
And only the ticketId depends on whether that ticketId is a winning ticket.
Therefore, the following can happen
claimWinningTickets()
to get paid a reward.Tools Used
Manual
Recommended Mitigation Steps
Check that the ticket buyer is equal to the
msg.sender
in executingclaimWinningTickets()
to prevent a front-running attack.