search

code-423n4 / 2023-03-wenwin-findings

1 stars 1 forks source link

Fixed multiplicator for minInitialPot and jackpotBound can exclude tokens #440

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol#L80-L81 https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol#L141-L143 https://github.com/code-423n4/2023-03-wenwin/blob/main/src/LotterySetup.sol#L161

Vulnerability details

Fixed multiplicator for minInitialPot and jackpotBound can exclude tokens

Currently the values for minInitialPot and jackpotBound have fixed multiplications depending on their decimals.

If the rewardToken is very valuable like WBTC the minimum to rais is 4 WBTC what is around \$85.000. If the token is DAI, it's only a minimum of \$4. For early users this can lead to a contract state where finalizeInitialPotRaise can never be called as not enough is raised.

If the rewardToken is not worth much like SHIB (\$0.00001083) the jackpotBound will always only be \$20 and as _baseJackpot always returns the min value the maximum jackpot will only be \$20 even if lot's of money was raised and _initialPot.getPercentage(BASE_JACKPOT_PERCENTAGE) is much bigger.

File: src/LotterySetup.sol
80:         minInitialPot = 4 * tokenUnit;
81:         jackpotBound = 2_000_000 * tokenUnit;

Proof of Concept

finalizeInitialPotRaise is used to start the lottery, but if not enough tokens are raised, it will not open and the raised tokens will be stuck in the contract.

File: src/LotterySetup.sol
140:         uint256 raised = rewardToken.balanceOf(address(this));
141:         if (raised < minInitialPot) {
142:             revert RaisedInsufficientFunds(raised);
143:         }

_baseJackpot is used for the maximum value for the Jackpot. If the rewardToken is not worth much and it was raised lot's of tokens and _initialPot.getPercentage(BASE_JACKPOT_PERCENTAGE) would result in way more than 2million it will still only return the maximum of 2m tokens what is in the example of SHIB only \$20.

File: src/LotterySetup.sol
160:     function _baseJackpot(uint256 _initialPot) internal view returns (uint256) {
161:         return Math.min(_initialPot.getPercentage(BASE_JACKPOT_PERCENTAGE), jackpotBound);
162:     }

Tools Used

manual review

Recommended Mitigation Steps

Don't use fixed multiplicators for minInitialPot and jackpotBound and let the deployer decide what values are best for the chosen rewardToken in the current market condition.

c4-judge commented 1 year ago

thereksfour marked the issue as duplicate of #271

c4-judge commented 1 year ago

thereksfour marked the issue as duplicate of #427

c4-judge commented 1 year ago

thereksfour changed the severity to QA (Quality Assurance)

c4-judge commented 1 year ago

thereksfour marked the issue as grade-a