An attacker could manipulate the _rngAuctionResult to unfairly distribute more rewards to themselves

[code423n4]

Lines of code

https://github.com/GenerationSoftware/pt-v5-draw-auction/blob/f1c6d14a1772d6609de1870f8713fb79977d51c1/src/RngRelayAuction.sol#L147-L148

Vulnerability details

Impact

When the rewards are calculated using _computeRewards(), the attacker's inflated rewardFraction will be used, giving them a bigger share

Proof of Concept

The _rngAuctionResult passed to rngComplete() is stored directly into the auctionResults array without any validation. An attacker could call rngComplete() with a manipulated _rngAuctionResult that has an inflated rewardFraction value. This would allow the attacker to receive a larger share of the rewards.

Tools Used

Manual

Recommended Mitigation Steps

,_rngAuctionResult should be validated before using it. For example: • Check that rewardFraction is within an expected range • Ensure recipient is the address of the valid RNG relay contract • Compare values to previously stored auction results to detect manipulation

Assessed type

Other

[c4-pre-sort]

raymondfam marked the issue as duplicate of #82

[c4-pre-sort]

raymondfam marked the issue as low quality report

[c4-judge]

HickupHH3 marked the issue as satisfactory