Back to Vulnerability database

SmartBillions Lottery

ID Submit date Publish date Author Score
1 10.25.2018 10.25.2018 Posit 10.0

Decription

Lottery functions were flawed, if you place a bet (systemPlay() function) with betting on number value “0” and then call the won() function after 256+ blocks (after you placed the bet) the returning value will be “0” so you would have bet on “000000” and result would be “000000” and you have the jackpot. The lucky guys first bet was “1” so “000001” and result after 256+ blocks calling won() would be “000000” so he matched 5 correctly which is 20000x and with 0.01ETH bet amount a win of 200ETH. He managed to pull that 2 time and corrected to “0” and for that transaction he had to wait for 256+ blocks, but 5 min before he could call won() the owners withdraw all funds. Vector: BVSS:1.1/B:S/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H/CI:N/II:H/AI:N

Component

Smart contract

Platform

Ethereum

Subclass

Entropy Illusion

Original source

https://etherscan.io/address/0x5ace17f87c7391e5792a7683069a8025b83bbd85

Comments


November, 2 02:27pm

nice

@therbishal November, 29 08:37am

s