Closed code423n4 closed 1 year ago
thereksfour marked the issue as unsatisfactory: Overinflated severity
thereksfour marked the issue as nullified
thereksfour marked the issue as not nullified
thereksfour marked the issue as duplicate of #483
thereksfour changed the severity to QA (Quality Assurance)
thereksfour marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/ReferralSystem.sol#L69-L71
Vulnerability details
Impact
When buying tickets in the Lottery.sol file: https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/Lottery.sol#L110 You can introduce a referrer as a parameter, which would get extra rewards for the referral.
The issue is that if you pass yourself (your address) as a referrer instead of a real referrer, you can double your rewards after each draw.
As you can see in the function claimPerDraw:
they use the referral reward the same way as the normal ticket reward, so if you add your address as referrer, the
claimedReward
variable will be the double and you would earn twice as much rewards tokens.Proof of Concept
The proof of concept relies on the function testBuyTicketDuringInitialPotRaise() in the following file:
Note: We are passing address(this) as the referrer so we can get twice as many rewards.
Tools Used
Manual
Recommended Mitigation Steps
Add a system to track and create referrals instead of allowing arbitrary addresses. Also the referrer should not be the msg.sender