thereksfour
commented
1 year ago Seems to be invalid, will check back later
Closed code423n4 closed 1 year ago
thereksfour
commented
1 year ago Seems to be invalid, will check back later
c4-judge
commented
1 year ago thereksfour marked the issue as primary issue
thereksfour
commented
1 year ago In fact unclaimed jackpots are included in the prize pool, while non-jackpots are not, but warden does not point this out, consider QA
c4-judge
commented
1 year ago thereksfour changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago thereksfour marked the issue as grade-b
rand0c0des
commented
1 year ago This is not an issue.
We cannot return non jackpot rewards if they are not claimed, as we do not know exact number of winners. We use an estimate in form of expectedPayout. (sometimes it will be more sometimes it will be less).
c4-sponsor
commented
1 year ago rand0c0des marked the issue as sponsor disputed
c4-judge
commented
1 year ago thereksfour marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L203-L232
Vulnerability details
Impact
If there are unclaimed rewards or rollovers from previous draws, the size of the prize pool available for rewards may be reduced, and this can result in the drawRewardSize() function returning a value that is less than the amount required to pay out all the jackpot winners at the expected amount. In such a case, the jackpot prize would need to be adjusted accordingly to ensure that it is split among the winners fairly. So the jackpot prize needs to be adjusted so that the payouts are fair
Proof of Concept
Tools Used
Recommended Mitigation Steps
1) reserve a portion of the prize pool for unclaimed rewards and rollovers 2) additional checks and balances to ensure that the prize pool is always accurately calculated and distributed