10190 matches found
No enough validation check for isValidSignature
Lines of code Vulnerability details Impact There is not enough validation check for the isValidSignature function. The only validation check for the signature is that for Zero address which returns false. There should be enough validation check Proof of Concept Tools Used Manual Review Recommende...
Risk of flashloan attacks in the Staking contract
Lines of code Vulnerability details Impact An attacker can steal a large amount of rewardsToken from the Staking contract by using flashloans, thus all the users will receive less rewards for their staked amounts. Proof of Concept In the Staking contract any user can stake a given amount of...
Lottery owner can manipulate the RNG to favour themselves, or other certain participants
Lines of code Vulnerability details The docs state that Chainlink VRF will be used as the source of randomness, whose subscription model is described here. A call is made to Chainlink's VRFCoordinatorV2 requestRandomWords function, after which a response is sent back in the form of a call to...
winning ticket odds are not distributed equally amongst users
Lines of code Vulnerability details Impact some users will be able to game the system and get optimal odds of winning both jackpot and non jackpot rewards. Making the entire protocol unfair for users. Proof of Concept The way Wenwin is intended to function is every combination has equal odds of...
Rounding division error could occur in the receiveRandomNumber function
Lines of code Vulnerability details Impact This rounding division error could result in the prize pool being drained over time if it occurs repeatedly, as the actual amount of prizes awarded would always be slightly less than the intended amount. Proof of Concept drawRewardSizedrawFinalized,...
Accounting for totalTicketsForReferrersPerDraw is not correct in referralRegisterTickets
Lines of code Vulnerability details Impact When referralRegisterTickets is called, accounting for totalTicketsForReferrersPerDraw is not correct. totalTicketsForReferrersPerDraw for currentDraw should be updated when unclaimed tickets for referrer meets the minimun eligible criterial in currentDr...
No sanity check on drawCoolDownPeriod can lead to frontrun attacks on jackpot prize
Lines of code Vulnerability details Impact During the construction of the LotterySetup, there is no sanity check on drawCoolDownPeriod. If its set to zero, then there will be no cool down period, players can buy the lottery tickets at any time until the draw. Once lottery setup is complete with...
Rewards for the Staking.sol contract may be stolen via the first staker
Lines of code Vulnerability details Impact The return amount of the function rewardPerToken may be inflated for the first in the Staking.sol contract. Proof of Concept The Staking.sol contract is designed for the LOT token holders to be able to stake their native tokens. Thus, the token holders...
Multiplier must be capped to prevent expected payout exceeding ticket price
Lines of code Vulnerability details Impact Expected payout may be greater than ticket price, bankrupting the lottery. Proof of Concept ticketsSold determines the multiplier to be used when calculating non jackpot rewards LotteryMath.solL84: bonusMulti += excessPot EXCESSBONUSALLOCATION /...
Winnings might be unable to catch up with prize pot
Lines of code Vulnerability details Impact Profit may become ineffective, meaning that funds are effectively stuck in the contract. Proof of Concept Funds are owned by the Lottery and the only way out is through payouts. However, since the jackpot is bound by jackpotBound the expected payout taki...
Upgraded Q -> 2 from #17 [1678363178694]
Judge has assessed an item in Issue 17 as 2 risk. The relevant finding follows: 5. Duplicated swingTrader addresses can be added which make sellMalt/buyMalt working incorrectly Details In function addSwingTrader, there is no check to ensure swingTrader address is not existed. So admin can make a...
If random number is too low, the lottery not completely random
Summary Random numbers below a certain limit will always return at least one rightmost bit, while numbers above this limit will return random bits. Explanation: 1. The winning ticket is generated based on an array of numbers generated by module randomNumber to selectionMax-n.:...
expected outgoing rewards for non-jackpot tiers are not normalized
Lines of code Vulnerability details Impact When calculating new profit, the calculation for non-jackpot rewards are not normalized and will be largely overestimated, due to the additional percentage scaling. This will lead to the excess pot for participants being much lower and hence failing to...
The minimum values of selectionMax and selectionSize are not verified when creating a lottery, which may create an unreasonable lottery
Lines of code Vulnerability details Summary src/LotterySetup.sol constructorLotterySetupParams memory lotterySetupParams if addresslotterySetupParams.token == address0 revert RewardTokenZero; if lotterySetupParams.ticketPrice == uint2560 revert TicketPriceZero; if lotterySetupParams.selectionSize...
Ticket: Owner of winning ticket can frontrun secondary sales
Lines of code Vulnerability details The Wenwin docs note that tickets "can be traded on the secondary market before or after the draw," since they are standard ERC721 tokens. After a ticket draw, the owner of a winning ticket may call LotteryclaimWinningTickets, which transfers lottery winnings t...
Unsafe downcasting operation truncate numberOfTickets input
Lines of code Vulnerability details Impact Unsafe downcasting operation truncate numberOfTickets input . Player and Referrer may lose their earning because of the wrong downcasting Proof of Concept There are a few unsafe downcasting operation that truncate numberOfTickets input. The impact can be...
Gas griefing is possible on unsafe external calls on execute
Lines of code Vulnerability details Impact A malicious or compromised actor that has EXECUTIONPERMISSIONID may cause a gas griefing attack by returning actionsi.data with a really high payload. Griefing attacks have no economic incentive for the attacker but could lead to other issues e.g. not...
The Lottery Contract's Lack of Safeguards May Lead to Insufficient Funds for Jackpot Payouts
Lines of code Vulnerability details While it may be true that the probability of the scenario happening is low, it does not necessarily mean that the issue should not be considered valid. A low probability does not mean that the vulnerability should be ignored, especially if it can lead to a loss...
Some figures are more likely to be drawn
Lines of code Vulnerability details Description The function reconstructTicket generate the winning ticket the from the ramdom number generated by Chainlink VRF V2. The design of this function makes the occurrence of some numbers more likely than others. Impact With the current implementation and...
Fixed rewards may also be cut
Lines of code Vulnerability details Impact Fixed rewards may change when packed. Proof of Concept In LotterySetup.packFixedRewards function packFixedRewardsuint256 memory rewards private view returns uint256 packed if rewards.length != selectionSize || rewards0 != 0 revert InvalidFixedRewardSetup...
referralRegisterTickets there is an inaccurate calculation of the total number of tickets for referrers
Lines of code Vulnerability details Impact There is an inaccurate total ticket count for referrers, that is, when the number of unclaimed tickets for referrers has reached the minimum EligibleReferralscurrentDraw, but when the number of referrer tickets is added to the new number of tickets will...
Incorrect usage of safeTransferFrom() function . This permanently traps ticketPrice in sender address (msg.sender )
Lines of code Vulnerability details Impact Because the callermsg.sender never gives approval for ERC20 transfers, calls to safeTransferFrom on the contract will revert with insufficient approval. This will trap from caller and unable to transfer ticketPrice to Lottery contract address. The root...
TicketUtils#reconstructTicket is biased towards lower numbers and allows gaming of odds
Lines of code Vulnerability details Impact Probability of lower numbers is higher and odds can be gamed Proof of Concept for uint256 i = 0; i selectionSize; ++i numbersi = uint8randomNumber % currentSelectionCount; randomNumber /= currentSelectionCount; currentSelectionCount--; To determine the...
function applyTargetPermissions() from PermissonManager.sol should use external grant function instead of internal function
Lines of code Vulnerability details Summary applySingleTargetPermissions and applyMultiTargetPermissions use internal function grant, revoke, grantWithCondition in a loop. Each of these internal function have an external function grant, revoke, grantWithCondition do the same thing with extra step...
Reentrancy in staking function exit
Lines of code Vulnerability details Impact The user on calling exit calls the updateReward function twice. Proof of Concept First entry is in function withdraw burn Calling the Hook beforeTokenTransfer Which in turn calls updateReward Second Entry getReward call updateReward directly Tools Used...
Likelihood of becoming zero numbers for the numbers of the winning ticket
Lines of code Vulnerability details Impact The logic of the function reconstructTicket may give more zero numbers inside the packed winning ticket. Proof of Concept As this issue may already be a sponsor-acknowledge case, however, it's worth explaining. Considering the case 7/35 for a lottery gam...
claimPerDraw() can accounts for referrals after the ticket registration deadline
Lines of code Vulnerability details When accounting for referrals, the beforeTicketRegistrationDeadline ensure tickets cannot be purchased after the draw registration deadline. The issue is that the referral registration happens for the current draw regardless of which draw the tickets are...
TicketUtils: Number draws are not uniformly distributed
Lines of code Vulnerability details The number selection algorithm in TicketUtils.reconstructTicket "draws" winning numbers using modulo arithmetic and a random seed. However, selected numbers are not uniformly distributed. Due to modulo bias and successive draw logic, higher numbers will be draw...
Wrong calculation in calculateNewProfit
Lines of code Vulnerability details Impact There is a wrong calculation of the cumulative net profit of the lottery, which affects the calculation of the excess pot and rewards per winning ticket including the jackpot in each draw. This vulnerability also leads to a Denial of Service of the Lotte...
Expected payout should not be determined off-chain
Lines of code Vulnerability details Impact Loss of profit and depletion of funds, the latter of which implies that some tickets will be unclaimable. Proof of Concept There is no guarantee to the correctness of LotterySetupParams.expectedPayout, which can be set freely within bounds in...
Source can change the result of the Lottery
Lines of code Vulnerability details Impact The loss of lottery winnings and incorrect distribution of funds Proof of Concept Reentrancy in Lottery.receiveRandomNumberuint256 src/Lottery.sol203-232: External calls: - winAmountdrawFinalizedselectionSize = drawRewardSizedrawFinalized,selectionSize /...
Transaction failure due to out of gas.
Lines of code Vulnerability details Impact Transaction failure due to out of gas. Proof of Concept The DAO protocol allows users to deposit any tokens.If a bad actor create a fake token and deposit to the protocol,then contact the appropriate person for a refund. A malicious person adds malicious...
Owner unable to withdraw the amount since depositDeadline values already expired
Lines of code Vulnerability details Impact The stakermsg.sender lose his amount permanently once depositDeadline is over Proof of Concept DEPOSIT : function deposituint256 amount external override onlyOwner // slither-disable-next-line timestamp if block.timestamp depositDeadline revert...
Validator/miner can set Block timestamp to a draw scheduled date and buy winning ticket if drawCoolDownPeriod is set to zero
Lines of code Vulnerability details Impact Validators/Miners would always be able to get the Jackpot prize, compromising the protocol. Proof of Concept The following foundry test illustrates this behaviour. Essentially, if the cooldown period time before a draw during which it is not possible to...
Wrong reward calculation if the reward token doesn't have 18 decimals
Lines of code Vulnerability details Impact If the rewardToken has less than 16 decimals, users will not be able to claim the correct value of their prize. Try not to think it will be DAI only. We will probably use DAI for the first product, but think more in general approach @0xluckydev5064 It is...
Loss of funds when buying tickets with no frontend
Lines of code Vulnerability details When tickets are bought, the protocol allows to specify a frontend that will receive a percentage of the ticket fee as rewards 10% for the current setup. However, if this input is left empty during purchase, frontend rewards will still be counted and associated...
drawCoolDownPeriod of 0 may allow frontrunning the draw with a winning ticket purchase
Lines of code Vulnerability details Impact Frontiness rather than luck may determine the winner. Proof of Concept drawCoolDownPeriod may be set to 0. Then a ticket may be bought in the same block as the draw. This allows for frontrunning the randomly selected winning ticket with a ticket purchase...
Division before multiplication lead to truncation
Lines of code Vulnerability details Impact Calculation could result in truncation. Proof of Concept Staking.solL60-L64 : function earnedaddress account public view override returns uint256 earned return balanceOfaccount rewardPerToken - userRewardPerTokenPaidaccount / 1e18 + rewardsaccount; above...
Malicious owner can steal funds
Lines of code Vulnerability details Impact if the owner is malicious, he can drain all funds to his wallet Proof of Concept Tools Used manual review Recommended Mitigation Steps 1. Transfer funds to special trusted contract so funds can be locked and safe. 2. amount input value limit so there...
If frontend == address(0), 10% of the ticket price is not used as intended
Lines of code Vulnerability details Impact The function buyTickets, has no check that frontend is not equal to zero address. This is possible if there was some misconfiguration from the frontend side or a player uses this function directly and does not set any address. In this case, the user...
Incorect handling of decimals
Lines of code Vulnerability details Impact Incorect calculations in case token will have a different number of decimals Proof of Concept Both the earned and the rewardPerToken functions are calculation the decimals based on the hardcoded assumption that the token will have 1e18 decimals, however...
Loss of reward for stakingRewardRecipient
Lines of code Vulnerability details Impact Anyone can call claimRewards function with rewardType = LotteryRewardType.STAKING, in which function LotteryMath.calculateRewards is used to calculate reward to transfer to beneficiary. By observing number of ticketsSold calculated from the...
Malicious user can frontrun the selling or transferring of a ticket to claim the rewards
Lines of code Vulnerability details A bad actor can trick a user into buying an unclaimed ticket and frontrun the selling or transfer of the NFT to claim the rewards associated with the ticket before the original transaction. Impact Given the described scenario, a bad actor can frontrun the...
Minimum referral requirement is incorrectly computed
Lines of code Vulnerability details As per the docs: Referrer rewards are allocated on a per draw basis Referrers who meet the minimum referral requirement according to the following table will be eligible for the Individual Referrer Allocation The minimum referral requirement for a draw N + 1 is...
Lottery Insolvency can lead to unclaimable winning tickets despite paying out Frontend and Staking rewards
Lines of code Vulnerability details Impact Lottery Insolvency can lead to unclaimable winning tickets despite paying out Frontend and Staking rewards Proof of Concept When distributing the winning tokens, it is possible that there is an insufficient balance to be able to pay winning tickets while...
Fixed rewards in DAI (or similar token) can potentially overflow when being packed
Lines of code Vulnerability details When the lottery is initialized, fixed rewards are tightly packed in a 256 bit word. This is implemented in the packFixedRewards function: function packFixedRewardsuint256 memory rewards private view returns uint256 packed if rewards.length != selectionSize ||...
Front-running to register subdomain
Lines of code Vulnerability details Impact An attacker can Front-running createDao to register the subdomain and revert the user's transaction. Proof of Concept The createDao function is used to creates a new DAO, registers it on the DAO registry, and installs a list of plugins via the plugin set...
Estimated profit may drift
Lines of code Vulnerability details Impact The lottery is not sustainable over time. Excess pot calculation may drift, which either leads to insufficient payouts or a depletion of funds. Proof of Concept The payouts are calculated using an estimate of the net profit, currentNetProfit. There is...
SWC-101 Artihmetic Overflow test/LotteryInvariantChecks.t.sol testBuyClaimFinalize()
Lines of code Vulnerability details Impact Integer overflow on finalizeDraw function. Failing tests: Encountered 1 failing test in test/LotteryInvariantChecks.t.sol:LotteryInvariantChecksTest FAIL. Reason: Arithmetic over/underflow Counterexample:...
DAO.sol auth() for ROOT_PERMISSION_ID should not need to depend on hidden IPermissionCondition _auth() from PermissionManager.sol
Lines of code Vulnerability details Summary PermissionManager.sol auth modifier pass along msg.data from all functions, is really out of place. There is little reason to pass along unused data than necessary. It is reasonable to expect ROOTPERMISSIONID and other DAO executive role controlled by...