When buying lottery tickets, you can mark the referral as yourself as well as the frontend operator.

[code423n4]

Lines of code

https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/Lottery.sol#L110-L131

Vulnerability details

Impact

• Referrers per docs: "Referrers' LOT rewards act as an incentive for people to promote the Wenwin Lottery by getting paid in LOT to do so."
• Frontend operators per docs: Wenwin is committed to complete decentralization and utilizes independent frontends to handle ticket sales. These frontends directly interact with the Wenwin Lottery smart contracts.

If a user buys a lottery ticket and refers to himself in both the referral fee and operator fee, the protocol will be negatively impacted because of the unnecessary discount of the ticket. This behavior should be analyzed more in depth and consider a scenario of a facade/front website that it's only purpose is to serve lottery buyers by providing more rebates (player, referrer, and frontend reward).

Proof of Concept

    function testBuyTicketAndBeFrontend() public {
        vm.startPrank(USER);
        vm.label(USER, "USER");

        uint128 currentDraw = lottery.currentDraw();
        rewardToken.mint(5 ether);
        rewardToken.approve(address(lottery), 5 ether);

        uint128[] memory drawIds = new uint128[](1);
        drawIds[0] = currentDraw;
        uint120[] memory tickets = new uint120[](1);
        tickets[0] = uint120(0x0F);

        uint256[] memory ticketIds = lottery.buyTickets(drawIds, tickets, USER, USER);
}

Recommended Mitigation Steps

• Include a check/require that prevents circling referrals.

[c4-judge]

thereksfour marked the issue as duplicate of #483

[c4-judge]

thereksfour changed the severity to QA (Quality Assurance)