Closed code423n4 closed 1 year ago
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L110
There's no validation for the frontend address when calling buyTickets. This means any user can set themselves to be the frontend and get a FRONTEND_REWARD percent discount all the time when buying tickets.
frontend
buyTickets
FRONTEND_REWARD
// SPDX-License-Identifier: UNLICENSED pragma solidity ^0.8.13; import "./LotteryTestBase.sol"; import "../src/Lottery.sol"; import "./TestToken.sol"; import "test/TestHelpers.sol"; contract MoreLotteryTest is LotteryTestBase { address public constant OWNER = address(0x111); address public constant USER = address(123); function buyTicketOnDiscount(uint128 draw, uint120 ticket, address referrer) internal returns (uint256 ticketId) { uint128[] memory drawIds = new uint128[](1); drawIds[0] = draw; uint120[] memory tickets = new uint120[](1); tickets[0] = ticket; uint256[] memory ticketIds = lottery.buyTickets(drawIds, tickets, USER, referrer); return ticketIds.length > 0 ? ticketIds[0] : 0; } function testBuyTicket() public { uint128 currentDraw = lottery.currentDraw(); uint256 initialBalance = rewardToken.balanceOf(address(lottery)); vm.startPrank(USER); rewardToken.mint(5 ether); rewardToken.approve(address(lottery), 10 ether); console.log(rewardToken.balanceOf(address(lottery))); buyTicketOnDiscount(currentDraw, uint120(0x0F), address(0)); lottery.claimRewards(LotteryRewardType.FRONTEND); console.log(rewardToken.balanceOf(address(lottery))); assertEq(rewardToken.balanceOf(address(lottery)), initialBalance + TICKET_PRICE); } }
forge test
Establish some kind of whitelist for valid frontends to avoid this problem.
thereksfour marked the issue as nullified
thereksfour marked the issue as not nullified
thereksfour marked the issue as duplicate of #483
thereksfour changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-03-wenwin/blob/main/src/Lottery.sol#L110
Vulnerability details
Impact
There's no validation for the
frontend
address when callingbuyTickets
. This means any user can set themselves to be thefrontend
and get aFRONTEND_REWARD
percent discount all the time when buying tickets.Proof of Concept
Tools Used
forge test
Recommended Mitigation Steps
Establish some kind of whitelist for valid frontends to avoid this problem.