Closed code423n4 closed 1 year ago
thereksfour changed the severity to QA (Quality Assurance)
thereksfour marked the issue as grade-b
initial LOT token sale will happen after the initialization of the Lottery. We will not accept this issue
rand0c0des marked the issue as sponsor disputed
thereksfour marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/Lottery.sol#L118 https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/RNSourceController.sol#L77-L87
Vulnerability details
Impact
initSource() Uncertainty call time, leading to rug risks
Proof of Concept
The current protocol, the owner through the initSource () to set
source
,source
is used to generate random numbers, if the malicious source is very easy rug funds But currently does not force draw before starting to buy, must have been set, only the judgment must have the initPot The code is as follows:This may lead to a problem. The owner does not want to set `source' maliciously, the user is not aware of it, and when the user buys a large number of tickets, there are already funds in contract. The owner then init a malicious source for rug
So in buyTickets it is recommended to check whether the source is set or not, or to pass it in through the constructor
Tools Used
Recommended Mitigation Steps
init
source
in the constructor