Valenz - `WinnablesTicket::ownerOf` can get the wrong winner

[sherlock-admin3]

Valenz

Medium

WinnablesTicket::ownerOf can get the wrong winner

Summary

The WinnablesTicket::ownerOf can pick the wrong winner when called as the function cannot get the range of token that an owner have.

Root Cause

• The while (_ticketOwnership[id][ticketId] == address(0)) loop assumes that when the token has address(0), the owner is the closest ticketId owner before it. There is a chance that the ticket has no owner actually https://github.com/sherlock-audit/2024-08-winnables-raffles/blob/main/public-contracts/contracts/WinnablesTicket.sol#L93.

Internal pre-conditions

1. The tickets are not all sold

External pre-conditions

1. The function needs to be called

Attack Path

1. The function ownerOf is called
2. The function returns the winner based on the algorithm
3. Turns out that the token does not have an owner.

Impact

• The raffle can pick the wrong winner

PoC

No response

Mitigation

No response