When fee on transfer token is used as a reward token then player can purchase large number of tickets for which protocol will receive less amount than ticketPrice * tickets.length, as while transfering funds from player(msg.sender) to Lottery contract, fee will be deducted.
Due to this, if fee on transfer token is charging more fee then there will be a possibility of having less amount in prize pot to be distributed among the ticket winners.
Whenever player(msg.sender) tries to buy a ticket, player's ticketPrice * tickets.length rewardTokens are transfered to Lotterey contract but since rewardToken could be a fee on transfer token, Lottery contract will recieve less funds.
Lines of code
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L130
Vulnerability details
Impact
When fee on transfer token is used as a reward token then player can purchase large number of
tickets
for which protocol will receive less amount thanticketPrice * tickets.length
, as while transfering funds fromplayer(msg.sender)
toLottery
contract,fee
will be deducted.Due to this, if fee on transfer token is charging more fee then there will be a possibility of having less amount in prize pot to be distributed among the ticket winners.
Proof of Concept
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L130
Whenever
player(msg.sender)
tries to buy a ticket, player'sticketPrice * tickets.length
rewardTokens are transfered toLotterey
contract but sincerewardToken
could be afee on transfer
token,Lottery
contract will recieve less funds.1.5 Dai
.100
of tickets usingbuyTickets
function after approving100 * 1.5 Dai = 150 Dai
toLottery
contract.Lottery
contract will recieve150 Dai * (100 - 5) / 100 = 142.5 = 142 Dai
Lottery
contract will clearly have a5% loss
on 100 tickets. It recieved142 Dai
instead of150 Dai
.Tools Used
Manual Review
Recommended Mitigation Steps
Make sure to check how much
Lottery
contract is recieving while someone buy a ticket like shown below.