CVE-2018-17071

N/A

Descricao

The fallback function of a simple lottery smart contract implementation for Lucky9io, an Ethereum gambling game, generates a random value with the publicly readable variable entry_number. This variable is private, yet it is readable by eth.getStorageAt function. Also, attackers can purchase a ticket at a low price by directly calling the fallback function with small msg.value, because the developer set the currency unit incorrectly. Therefore, it allows attackers to always win and get rewards.

Detalhes CVE

Pontuacao CVSS v3.1N/A

Publicado9/18/2018

Ultima modificacao11/21/2024

Fontenvd

Avistamentos honeypot0

Produtos afetados

lucky9:lucky9io

Fraquezas (CWE)

CWE-338

Referencias

https://github.com/TEAM-C4B/CVE-LIST/tree/master/CVE-2018-17071(cve@mitre.org)

https://github.com/TEAM-C4B/CVE-LIST/tree/master/CVE-2018-17071(af854a3a-2127-422b-91ae-364da2661108)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.