RSS   Podatności dla 'Lucky9io'   RSS

2018-09-18
 
CVE-2018-17071

CWE-338
 

 
The fallback function of a simple lottery smart contract implementation for Lucky9io, an Ethereum gambling game, generates a random value with the publicly readable variable entry_number. This variable is private, yet it is readable by eth.getStorageAt function. Also, attackers can purchase a ticket at a low price by directly calling the fallback function with small msg.value, because the developer set the currency unit incorrectly. Therefore, it allows attackers to always win and get rewards.

 


Copyright 2021, cxsecurity.com

 

Back to Top