search

code-423n4 / 2023-03-wenwin-findings

1 stars 1 forks source link

[M] Prevent someone from buying an infinite number of tickets in the function buyTickets #342

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/Lottery.sol#L110-L131

Vulnerability details

Impact

Add a protection to prevent someone from buying an infinite number of tickets in the "buyTickets" function.

Proof of Concept

https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/Lottery.sol#L110-L131

Tools Used

Manual

Recommended Mitigation Steps

uint256 public constant MAX_TICKETS_PER_TX = 1000; 

function buyTickets(
        uint128[] calldata drawIds,
        uint120[] calldata tickets,
        address frontend,
        address referrer
    )
        external
        override
        requireJackpotInitialized
        returns (uint256[] memory ticketIds)
    {
        require(tickets.length <= MAX_TICKETS_PER_TX, "Too many tickets"); // Verifica que la cantidad de boletos no exceda el límite máximo
        if (drawIds.length != tickets.length) {
            revert DrawsAndTicketsLenMismatch(drawIds.length, tickets.length);
        }
        ticketIds = new uint256[](tickets.length);
        for (uint256 i = 0; i < drawIds.length; ++i) {
            ticketIds[i] = registerTicket(drawIds[i], tickets[i], frontend, referrer);
        }
        referralRegisterTickets(currentDraw, referrer, msg.sender, tickets.length);
        frontendDueTicketSales[frontend] += tickets.length;
        rewardToken.safeTransferFrom(msg.sender, address(this), ticketPrice * tickets.length);
    }

Lines

c4-judge commented 1 year ago

thereksfour marked the issue as unsatisfactory: Invalid