Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-03-WENWIN-FINDINGS-ISSUES-425
HistoryMar 09, 2023 - 12:00 a.m.

Ticket: Owner of winning ticket can frontrun secondary sales

2023-03-0900:00:00
Code4rena
github.com
5
wenwin
erc721
frontrun
secondary market
scams
JSON

Lines of code

Vulnerability details

The Wenwin docs note that tickets β€œcan be traded on the secondary market before or after the draw,” since they are standard ERC721 tokens.

After a ticket draw, the owner of a winning ticket may call Lottery#claimWinningTickets, which transfers lottery winnings to the ticket owner:

Lottery#claimWinningTickets:

    function claimWinningTickets(uint256[] calldata ticketIds) external override returns (uint256 claimedAmount) {
        uint256 totalTickets = ticketIds.length;
        for (uint256 i = 0; i < totalTickets; ++i) {
            claimedAmount += claimWinningTicket(ticketIds[i]);
        }
        rewardToken.safeTransfer(msg.sender, claimedAmount);
    }

A malicious winner can thus list their winning ticket on the secondary market and frontrun purchase transactions to collect both their winning reward and the secondary sale price of their ticket.

Scenario:

  1. Mallory buys a Wenwin ticket.
  2. Following the draw, the ticket is revealed as a Match 6 winner, worth 1500 DAI.
  3. Mallory lists the winning ticket on a secondary marketplace like OpenSea for 1000 DAI.
  4. Alice sees the ticket listed at a discount, and submits a transaction to purchase Mallory’s listed ticket.
  5. Mallory frontruns Alice’s transaction and claims ticket winnings before the token is transferred to Alice.
  6. Mallory receives both lottery winnings and secondary sale price. Alice cannot claim the lottery winnings from the ticket she purchased.

Recommendation:
Consider a two step process for claiming awards: the end user can first submit their intent to claim, wait a fixed period of time, then finalize their claim.

Additionally, consider using Ticket token ERC721 metadata to clearly visually distinguish claimed and unclaimed tickets to mitigate secondary market scams. (For example, change the background color of claimed vs unclaimed ticket tokens). The current implementation has no token metadata for Ticket ERC721s, which will make it difficult to distinguish claimed/unclaimed and pre-draw/post-draw tickets trading on secondary marketplaces. Even a simple dynamic token SVG could mitigate many secondary market scams.

The text was updated successfully, but these errors were encountered:

πŸ‘ 1 romeroadrian reacted with thumbs up emoji

All reactions

  • πŸ‘ 1 reaction
JSON