Description
play() is implemented. It declares a variable Game game, but does not initialize it. It will therefore default to a pointer to slot zero of the contract’s storage space. Then, it stores your address in its first member, storage slot 0, and the submitted number in the second one, that maps to storage slot 1. So, in practice, this will end up overwriting the contract's secretNumber with the attacker account’s address, and lastPlayed with the number submitted.
Then, it will compare secretNumber, which is now your account’s address, with the number you submitted. Since you can only submit numbers smaller than 10, you can only win if your account’s address is within the range 0x0 to 0x0a.
Vector: BVSS:1.1/B:S/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H/CI:N/II:H/AI:H
Original source
https://etherscan.io/address/0x8685631276cfcf17a973d92f6dc11645e5158c0c#code