We know that 10% of ticket sales will be allocated to frontend. When users call the function buyTickets() to purchase tickets ,they can specify the frontend address.
There is no check of the frontend address and users can specify their own address.After that users call the function claimRewards() to get frontend rewards.In the end, users purchased tickets at a 10% discount.
Lines of code
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L113
Vulnerability details
Impact
Users can purchase tickets at a 10% discount.
Proof of Concept
We know that 10% of ticket sales will be allocated to frontend. When users call the function
buyTickets()
to purchase tickets ,they can specify the frontend address.There is no check of the frontend address and users can specify their own address.After that users call the function
claimRewards()
to get frontend rewards.In the end, users purchased tickets at a 10% discount.Tools Used
Vscode
Recommended Mitigation Steps
Whitelist the frontend address