search

code-423n4 / 2023-03-wenwin-findings

1 stars 1 forks source link

initSource() Uncertainty call time, leading to risks #329

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/Lottery.sol#L118 https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/RNSourceController.sol#L77-L87

Vulnerability details

Impact

initSource() Uncertainty call time, leading to rug risks

Proof of Concept

The current protocol, the owner through the initSource () to set source, source is used to generate random numbers, if the malicious source is very easy rug funds But currently does not force draw before starting to buy, must have been set, only the judgment must have the initPot The code is as follows:

    function buyTickets(
        uint128[] calldata drawIds,
        uint120[] calldata tickets,
        address frontend,
        address referrer
    )
        external
        override
        requireJackpotInitialized  //<-------only check initialPot 
        returns (uint256[] memory ticketIds)
    {
        if (drawIds.length != tickets.length) {
            revert DrawsAndTicketsLenMismatch(drawIds.length, tickets.length);
        }
        ticketIds = new uint256[](tickets.length);
        for (uint256 i = 0; i < drawIds.length; ++i) {
            ticketIds[i] = registerTicket(drawIds[i], tickets[i], frontend, referrer);
        }

        referralRegisterTickets(currentDraw, referrer, msg.sender, tickets.length);
        frontendDueTicketSales[frontend] += tickets.length;
        rewardToken.safeTransferFrom(msg.sender, address(this), ticketPrice * tickets.length);
    }

This may lead to a problem. The owner does not want to set `source' maliciously, the user is not aware of it, and when the user buys a large number of tickets, there are already funds in contract. The owner then init a malicious source for rug

So in buyTickets it is recommended to check whether the source is set or not, or to pass it in through the constructor

Tools Used

Recommended Mitigation Steps

init source in the constructor

c4-judge commented 1 year ago

thereksfour changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

thereksfour marked the issue as grade-b

rand0c0des commented 1 year ago

initial LOT token sale will happen after the initialization of the Lottery. We will not accept this issue

c4-sponsor commented 1 year ago

rand0c0des marked the issue as sponsor disputed

c4-judge commented 1 year ago

thereksfour marked the issue as grade-c