When creating a lottery, the creator needs to pass in selectionMax and selectionSize to control the probability of the lottery. The constructor of LotterySetup.sol has done some check:
selectionMax < 120
selectionSize != 0
selectionSize <= 16
selectionSize < selectionMax
It does not check the minimum value of selectionMax, and it is too loose when checking selectionSize, which may lead to a very high probability of winning. In extreme cases such as selectionMax is 8 and selectionSize is 7, then the probability of the jackpot is (1/8) ^ 7 = 0.000000476837158203125, If the first prize pool is greater than 1 / 0.000000476837158203125 * 3.33 = 6983516.16, then the theoretical rate of return of the jackpot is greater than 1.
Impact
If the creator created an unreasonable lottery, the attacker could buy tickets like crazy to win the prize pool.
Recommended Mitigation Steps
Limit selectionMax and selectionSize to avoid super high winning rate.
Lines of code
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol#L12
Vulnerability details
Summary
src/LotterySetup.sol
When creating a lottery, the creator needs to pass in
selectionMax
andselectionSize
to control the probability of the lottery. Theconstructor
ofLotterySetup.sol
has done some check:selectionMax < 120
selectionSize != 0
selectionSize <= 16
selectionSize < selectionMax
It does not check the minimum value of
selectionMax
, and it is too loose when checkingselectionSize
, which may lead to a very high probability of winning. In extreme cases such asselectionMax
is 8 andselectionSize
is 7, then the probability of the jackpot is(1/8) ^ 7 = 0.000000476837158203125
, If the first prize pool is greater than1 / 0.000000476837158203125 * 3.33 = 6983516.16
, then the theoretical rate of return of the jackpot is greater than 1.Impact
If the creator created an unreasonable lottery, the attacker could buy tickets like crazy to win the prize pool.
Recommended Mitigation Steps
Limit
selectionMax
andselectionSize
to avoid super high winning rate.