Powerball(Lotteries.sol) Vulnerability?
Closed this issue · 8 comments
Couldn't find an email to report this to, but what happens in this scenario:
var numbers = [[1,1,1,1,1,1]];
lottery.buy(numbers, { from: accounts[0], value: 2e15 });
AFAICT the code doesn't check if numbers provided are unique, so it's much easier to guess the numbers, and jackpot chances are ~1 in 69 or even better :)
If you choose the same number wouldn't you just decrease your own chances of winning?
Nope,
Check following code from Powerball smart contract:
for (uint j=0; j < 5; j++) {
for (uint k=0; k < 5; k++) {
if (myNumbers[i][j] == winningNumbers[k])
numberMatches += 1;
}
}
This code means that by guessing just one number numberMatches gets set to 5 if there are 5 same numbers in the ticket.
Then it's easier to imagine what happens if someone buys an array of
[[1,1,1,1,1,1], [2,2,2,2,2,2],...,[69,69,69,69,69,69]]
(69 tickets)
Also, code for generating winning numbers doesn't check if number has been drawn already and I guess there might be hash 'collisions' where uint(rand) % MAX_NUMBER generates same number
for (uint i=0; i < 5; i++) {
bytes32 rand = keccak256(block.blockhash(drawBlock), i);
uint numberDraw = uint(rand) % MAX_NUMBER + 1;
rounds[_round].winningNumbers[i] = numberDraw;
}
You're right. This is a major flaw in the contract. Unfortunately it's been deployed and nothing can be done about it now. We will have to update it in the next version. We have a bug bounty for the book. 0.3 ETH per bug found. Post your address below and I'll send it to you
0x3f59d81fd3b278830e4714b004763130fe367cf3
Thanks!
sent
What's the reason that a contract's owner does not have an easy mechanism to terminate the contract? Is it a bug or a design feature of the framework? Thanks.
Design feature. If the owner can terminate it they would be able to walk away with the jackpot with a selfdestruct at any time.