The Wenwin docs note that tickets βcan be traded on the secondary market before or after the draw,β since they are standard ERC721 tokens.
After a ticket draw, the owner of a winning ticket may call Lottery#claimWinningTickets, which transfers lottery winnings to the ticket owner:
function claimWinningTickets(uint256[] calldata ticketIds) external override returns (uint256 claimedAmount) {
uint256 totalTickets = ticketIds.length;
for (uint256 i = 0; i < totalTickets; ++i) {
claimedAmount += claimWinningTicket(ticketIds[i]);
}
rewardToken.safeTransfer(msg.sender, claimedAmount);
}
A malicious winner can thus list their winning ticket on the secondary market and frontrun purchase transactions to collect both their winning reward and the secondary sale price of their ticket.
Scenario:
Recommendation:
Consider a two step process for claiming awards: the end user can first submit their intent to claim, wait a fixed period of time, then finalize their claim.
Additionally, consider using Ticket token ERC721 metadata to clearly visually distinguish claimed and unclaimed tickets to mitigate secondary market scams. (For example, change the background color of claimed vs unclaimed ticket tokens). The current implementation has no token metadata for Ticket ERC721s, which will make it difficult to distinguish claimed/unclaimed and pre-draw/post-draw tickets trading on secondary marketplaces. Even a simple dynamic token SVG could mitigate many secondary market scams.
The text was updated successfully, but these errors were encountered:
π 1 romeroadrian reacted with thumbs up emoji
All reactions