search

code-423n4 / 2023-03-wenwin-findings

1 stars 1 forks source link

Missing checks for frontend address, users can purchase tickets at a 10% discount #42

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L113

Vulnerability details

Impact

Users can purchase tickets at a 10% discount.

Proof of Concept

We know that 10% of ticket sales will be allocated to frontend. When users call the function buyTickets() to purchase tickets ,they can specify the frontend address.

 function buyTickets(
        uint128[] calldata drawIds,
        uint120[] calldata tickets,
        address frontend,
        address referrer
    )
        external
        override
        requireJackpotInitialized
        returns (uint256[] memory ticketIds)
    {
        if (drawIds.length != tickets.length) {
            revert DrawsAndTicketsLenMismatch(drawIds.length, tickets.length);
        }

There is no check of the frontend address and users can specify their own address.After that users call the function claimRewards() to get frontend rewards.In the end, users purchased tickets at a 10% discount.

    function claimRewards(LotteryRewardType rewardType) external override returns (uint256 claimedAmount) {
        address beneficiary = (rewardType == LotteryRewardType.FRONTEND) ? msg.sender : stakingRewardRecipient;
        claimedAmount = LotteryMath.calculateRewards(ticketPrice, dueTicketsSoldAndReset(beneficiary), rewardType);

        emit ClaimedRewards(beneficiary, claimedAmount, rewardType);
        rewardToken.safeTransfer(beneficiary, claimedAmount);
    }

Tools Used

Vscode

Recommended Mitigation Steps

Whitelist the frontend address

c4-judge commented 1 year ago

thereksfour marked the issue as duplicate of #483

c4-judge commented 1 year ago

thereksfour changed the severity to QA (Quality Assurance)