CVE-2018-17071

Published: Sep 18, 2018

Modified: Aug 5, 2024

PUBLISHED

Description

The fallback function of a simple lottery smart contract implementation for Lucky9io, an Ethereum gambling game, generates a random value with the publicly readable variable entry_number. This variable is private, yet it is readable by eth.getStorageAt function. Also, attackers can purchase a ticket at a low price by directly calling the fallback function with small msg.value, because the developer set the currency unit incorrectly. Therefore, it allows attackers to always win and get rewards.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/TEAM-C4B/CVE-LIST/tree/master/CVE-2018-17071

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2018-17071

Description

Affected Products

References