search

code-423n4 / 2023-03-wenwin-findings

1 stars 1 forks source link

The minimum values of selectionMax and selectionSize are not verified when creating a lottery, which may create an unreasonable lottery #333

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol#L12

Vulnerability details

Summary

src/LotterySetup.sol

    constructor(LotterySetupParams memory lotterySetupParams) {
        if (address(lotterySetupParams.token) == address(0)) {
            revert RewardTokenZero();
        }
        if (lotterySetupParams.ticketPrice == uint256(0)) {
            revert TicketPriceZero();
        }
        if (lotterySetupParams.selectionSize == 0) {
            revert SelectionSizeZero();
        }
        if (lotterySetupParams.selectionMax >= 120) {
            revert SelectionSizeMaxTooBig();
        }
        if (
            lotterySetupParams.expectedPayout < lotterySetupParams.ticketPrice / 100
                || lotterySetupParams.expectedPayout >= lotterySetupParams.ticketPrice
        ) {
            revert InvalidExpectedPayout();
        }
        if (
            lotterySetupParams.selectionSize > 16 || lotterySetupParams.selectionSize >= lotterySetupParams.selectionMax
        ) {
            revert SelectionSizeTooBig();
        }
        if (
            lotterySetupParams.drawSchedule.drawCoolDownPeriod >= lotterySetupParams.drawSchedule.drawPeriod
                || lotterySetupParams.drawSchedule.firstDrawScheduledAt < lotterySetupParams.drawSchedule.drawPeriod
        ) {
            revert DrawPeriodInvalidSetup();
        }
        // - skip -
    }

When creating a lottery, the creator needs to pass in selectionMax and selectionSize to control the probability of the lottery. The constructor of LotterySetup.sol has done some check:

It does not check the minimum value of selectionMax, and it is too loose when checking selectionSize, which may lead to a very high probability of winning. In extreme cases such as selectionMax is 8 and selectionSize is 7, then the probability of the jackpot is (1/8) ^ 7 = 0.000000476837158203125, If the first prize pool is greater than 1 / 0.000000476837158203125 * 3.33 = 6983516.16, then the theoretical rate of return of the jackpot is greater than 1.

Impact

If the creator created an unreasonable lottery, the attacker could buy tickets like crazy to win the prize pool.

Recommended Mitigation Steps

Limit selectionMax and selectionSize to avoid super high winning rate.

c4-judge commented 1 year ago

thereksfour marked the issue as unsatisfactory: Overinflated severity

thereksfour commented 1 year ago

consider QA, submit QA as High, severity exaggerated