Lucky9io Lottery Smart Contract Vulnerability: Exploitable Random Number Generation and Currency Unit Misconfiguration

Lucky9io Lottery Smart Contract Vulnerability: Exploitable Random Number Generation and Currency Unit Misconfiguration

CVE-2018-17071 · MEDIUM Severity

AV:N/AC:L/AU:N/C:P/I:N/A:N

The fallback function of a simple lottery smart contract implementation for Lucky9io, an Ethereum gambling game, generates a random value with the publicly readable variable entry_number. This variable is private, yet it is readable by eth.getStorageAt function. Also, attackers can purchase a ticket at a low price by directly calling the fallback function with small msg.value, because the developer set the currency unit incorrectly. Therefore, it allows attackers to always win and get rewards.

Learn more about our Web Application Penetration Testing UK.