c4-judge
commented
1 year ago thereksfour marked the issue as duplicate of #390
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago thereksfour marked the issue as duplicate of #390
c4-judge
commented
1 year ago thereksfour changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago thereksfour marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/ReferralSystem.sol#L117-L128
Vulnerability details
Impact
ReferralSystem's
getMinimumEligibleReferralsFactorCalculation()is responsible for computing the minimum number of tickets a referrer is required to have referred in order to be eligible for rewards.The edge cases when
totalTicketsSoldPrevDraw == 10_000andtotalTicketsSoldPrevDraw == 100_000are incorrect, in that they do not follow the documentation, leading to referrers being able to receive rewards when referring a number of tickets lower than they should need.Example: At
totalTicketsSoldPrevDraw == 10_000, according to the documentation, the referrer should require 1% of totalTicketsSoldPrevDraw => 100 referrals. However, using the code, the referrer is only required to have 0.75% of totalTicketsSoldPrevDraw => 75 referrals.Proof of Concept
ReferralSystem: https://github.com/code-423n4/2023-03-wenwin/blob/91b89482aaedf8b8feb73c771d11c257eed997e8/src/ReferralSystem.sol#L117-L128
Wenwin referral rewards doc: https://docs.wenwin.com/wenwin-lottery/protocol-architecture/token/rewards/referrals
Tools Used
Manual Review
Recommended Mitigation Steps
Bring the
getMinimumEligibleReferralsFactorCalculation()function in line with the documentation by replacing<with<=in this function.