Closed code423n4 closed 1 year ago
thereksfour marked the issue as duplicate of #483
https://github.com/code-423n4/org/issues/53. Require user mistakes, QA. Submit QA as High, invalid
thereksfour marked the issue as not a duplicate
thereksfour marked the issue as unsatisfactory: Overinflated severity
Lines of code
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L110-L131
Vulnerability details
When tickets are bought, the protocol allows to specify a frontend that will receive a percentage of the ticket fee as rewards (10% for the current setup). However, if this input is left empty during purchase, frontend rewards will still be counted and associated with the zero address.
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L110-L131
Note: protocol owners have confirmed over Discord messaging that frontend is optional and sending the zero address is a valid case.
Impact
In this scenario, frontend rewards will be lost as these will be associated with the zero address. These rewards won't be claimable since the
claimRewards
function will only transfer rewards associated to the caller.https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L151-L157
Proof of Concept
In the following test, a user specifies
address(0)
as the frontend while purchasing tickets. The call succeeds and we can query from theaddress(0)
to show the lost rewards:Note:
buyTickets
helper has been modified to allow setting an arbitrary frontend address.Recommendation
If frontend is optional, then this case should be specially treated when the zero address is sent as the
frontend
parameter. Either associated them to staking or to protocol profits.