Platform: Code4rena
Start Date: 06/03/2023
Pot Size: $36,500 USDC
Total HM: 8
Participants: 93
Period: 3 days
Judge: cccz
Total Solo HM: 3
Id: 218
League: ETH
Rank: 6/93
Findings: 2
Award: $1,008.88
🌟 Selected for report: 0
🚀 Solo Findings: 0
839.0809 USDC - $839.08
When revenue is generated, 20% of it is deposited into staking contract by calling function Lottery.claimRewards:
https://github.com/code-423n4/2023-03-wenwin/blob/a260ecba74720c631ab06ecdd67167317b976b60/src/Lottery.sol#L151-L157
if the staking contract has no tokens staked (_totalSupply = 0), the 20% revenue is not accounted for. The DAI amount will be stuck there permanently and nobody can withdraw it. https://github.com/code-423n4/2023-03-wenwin/blob/a260ecba74720c631ab06ecdd67167317b976b60/src/staking/Staking.sol#L50-L52
Scenario: after two years, all the locked tokens are released.
Lottery.claimRewards with LotteryRewardType set to STAKING.
https://github.com/code-423n4/2023-03-wenwin/blob/a260ecba74720c631ab06ecdd67167317b976b60/src/Lottery.sol#L151-L157Manual
Implement logic to handle the case when the totalSupply of staking is 0. In that case, the revenue can be added to the overall pot instead of being sent to the staking contract.
#0 - c4-judge
2023-03-10T07:50:45Z
thereksfour changed the severity to 2 (Med Risk)
#1 - c4-judge
2023-03-10T07:50:51Z
thereksfour marked the issue as primary issue
#2 - c4-judge
2023-03-10T14:49:41Z
thereksfour marked the issue as duplicate of #322
#3 - c4-judge
2023-03-10T14:53:46Z
thereksfour changed the severity to 3 (High Risk)
#4 - c4-judge
2023-03-14T11:34:01Z
thereksfour changed the severity to 2 (Med Risk)
#5 - c4-judge
2023-03-19T10:12:56Z
thereksfour marked the issue as satisfactory
🌟 Selected for report: adriro
Also found by: 0x1f8b, 0xAgro, 0xSmartContract, 0xfuje, 0xkazim, 0xnev, Aymen0909, Bason, Cyfrin, DadeKuma, LethL, Madalad, MohammedRizwan, Rolezn, SAAJ, SunSec, Udsen, Yukti_Chinta, ast3ros, bin2chen, brgltd, bshramin, btk, bugradar, catellatech, cryptostellar5, descharre, dontonka, erictee, fatherOfBlocks, georgits, glcanvas, hl_, horsefacts, igingu, juancito, lukris02, martin, nadin, nomoi, peanuts, pipoca, sakshamguruji, seeu, slvDev, tnevler, zaskoh
169.7989 USDC - $169.80
In white paper of Wenwin, 20% (200,000,000 tokens) is allocated to the team, which is pre-staked and locked for 1 year before the Initial Sale begins. https://docs.wenwin.com/wenwin-lottery/protocol-architecture/token
Instead of sending the 200 million LOT tokens to the admin account, they should be created and deposited directly into the locked staking contract. This will enhance the trust of users and investors. https://github.com/code-423n4/2023-03-wenwin/blob/a260ecba74720c631ab06ecdd67167317b976b60/src/LotteryToken.sol#L17-L20
Mint directly the pre-staked amount to staking contract and send staked tokens into the StakedTokenLock contract.
Instance:
this in function callIn Solidity, you can call a function in the same contract by its name without using this.function. This is the recommended way to write code as it is more concise and clear.
#0 - thereksfour
2023-03-12T10:37:51Z
2 INFO DOWN: 3 L 1 INFO
#1 - c4-judge
2023-03-12T10:37:55Z
thereksfour marked the issue as grade-b
#2 - c4-sponsor
2023-03-14T11:19:40Z
0xluckydev marked the issue as sponsor disputed
#3 - thereksfour
2023-03-17T13:28:07Z
4L 2INFO A
#4 - c4-judge
2023-03-17T13:28:12Z
thereksfour marked the issue as grade-a