Wenwin contest


alexxander	1/93	$8,080.04	2	0	2	2	0	0
NoamYakov	2/93	$4,040.02	1	0	1	1	0	0
Cyfrin	3/93	$1,814.02	3	1	1	0	-	0
adriro	4/93	$1,307.28	5	1	2	0	Grade A	Grade B
Haipls	5/93	$1,252.17	3	0	2	0	0	Grade B
ast3ros	6/93	$1,008.88	2	0	1	0	Grade A	0
anodaram	7/93	$925.18	2	1	1	0	0	0
Yukti_Chinta	8/93	$789.14	2	1	0	0	-	0
d3e4	9/93	$713.63	2	0	2	0	0	0
bin2chen	10/93	$641.04	2	1	0	0	Grade B	0


alexxander	1/93	$8,080.04	2	0	2	2	0	0
NoamYakov	2/93	$4,040.02	1	0	1	1	0	0
Cyfrin	3/93	$1,814.02	3	1	1	0	-	0
adriro	4/93	$1,307.28	5	1	2	0	Grade A	Grade B
Haipls	5/93	$1,252.17	3	0	2	0	0	Grade B
ast3ros	6/93	$1,008.88	2	0	1	0	Grade A	0
anodaram	7/93	$925.18	2	1	1	0	0	0
Yukti_Chinta	8/93	$789.14	2	1	0	0	-	0
d3e4	9/93	$713.63	2	0	2	0	0	0
bin2chen	10/93	$641.04	2	1	0	0	Grade B	0

Wenwin contest details

Total Prize Pool: $36,500 USDC
- HM awards: $25,500 USDC
- QA report awards: $3,000 USDC
- Gas report awards: $1,500 USDC
- Judge + presort awards: $6,000 USDC
- Scout awards: $500 USDC
Join C4 Discord to register
Submit findings using the C4 form
Read our guidelines for more details
Starts March 06, 2023 20:00 UTC
Ends March 09, 2023 20:00 UTC

Automated Findings / Publicly Known Issues

Automated findings output for the contest can be found here within an hour of contest opening.

Note for C4 wardens: Anything included in the automated findings output is considered a publicly known issue and is ineligible for awards.

There is a certain scenario when the lottery would run out of funds. This can happen in extreme scenarios when the jackpot is won in consecutive draws, while the ticket sales were low. The probability of this happening is 0.3%. This issue will not be considered valid.

Overview

Wenwin is a decentralized gaming protocol that provides developers with the ability to create chance-based games on the blockchain. The first product is Lottery, and it is the subject of this audit contest. All the contracts have extensive NatSpec comments and most of them are located in the interfaces or base contracts.

The protocol's main contracts are:

Lottery: The main entry point for all lottery actions, including buying tickets, claiming rewards, and executing draws. Issues Ticket ERC-721 NFTs to players. It inherits from RNSourceController that controls random number sources and prevents the lottery's owner from changing the source without it failing to deliver a random number for a while.
LotteryToken: The native token of Wenwin Lottery. It can be staked (stakers receive a portion of ticket sales) and referral rewards.
VRFv2RNSource: The Chainlink VRFv2 random number source integration used for generating a winning ticket combination for a draw.
Staking: A contract implementing native token staking that receives rewards from ticket sales and distributes them to stakers.

For more detailed information about the protocol, please refer to the Wenwin Lottery documentation.

Scope

In scope

Files in scope

File	SLOC	Description and Coverage	Libraries
Contracts (6)
src/LotteryToken.sol	18	The native token of Wenwin Lottery, used for staking and referral rewards, 100.00%	`@openzeppelin/*`
src/VRFv2RNSource.sol	30	A Chainlink VRFv2 random number source integration, 100.00%	`@chainlink/*`
src/staking/StakedTokenLock.sol 📤	36	An implementation of staked token lock to be used for team tokens, 100.00%	`@openzeppelin/*`
src/staking/Staking.sol	96	A contract implementing native token staking, 100.00%	`@openzeppelin/*`
src/LotterySetup.sol 🌀	143	A lottery parameters setup contract, 71.43%	`@openzeppelin/*`
src/Lottery.sol 🌀	220	The main entry point for all Wenwin Lottery actions, 94.20%	`@openzeppelin/*`
Abstracts (4)
src/Ticket.sol	16	A lottery ticket represented as NFT (ERC-721), 100.00%	`@openzeppelin/*`
src/RNSourceBase.sol	33	A base abstract contract for a random number source, 86.67%
src/RNSourceController.sol ♻️	91	An abstract contract that manages random number sources, 94.74%	`@openzeppelin/*`
src/ReferralSystem.sol	119	An abstract contract that implements Lottery referral system, 39.53%	`@openzeppelin/*`
Libraries (3)
src/PercentageMath.sol	11	A library implementing percentage math functions and constants, 0.00%
src/TicketUtils.sol Σ	68	A library implementing utilities for lottery ticket combinations, 100.00%
src/LotteryMath.sol	81	A library implementing basic math functions used by Wenwin Lottery, 14.29%
Interfaces (11)
src/interfaces/IVRFv2RNSource.sol	7	-
src/interfaces/ILotteryToken.sol	8	-	`@openzeppelin/*`
src/interfaces/ITicket.sol	11	-	`@openzeppelin/*`
src/staking/interfaces/IStakedTokenLock.sol	14	-
src/interfaces/IReferralSystemDynamic.sol	18	-
src/interfaces/IRNSource.sol	22	-
src/staking/interfaces/IStaking.sol	23	-	`@openzeppelin/*`
src/interfaces/IReferralSystem.sol	28	-
src/interfaces/IRNSourceController.sol	29	-	`@openzeppelin/*`
src/interfaces/ILottery.sol	54	-
src/interfaces/ILotterySetup.sol	59	-	`@openzeppelin/*`
Total (over 24 files):	1235	80.69%

External imports

@chainlink/contracts/src/v0.8/VRFV2WrapperConsumerBase.sol
- src/VRFv2RNSource.sol
@openzeppelin/contracts/access/Ownable2Step.sol
@openzeppelin/contracts/token/ERC20/ERC20.sol
- src/LotteryToken.sol
- src/staking/Staking.sol
@openzeppelin/contracts/token/ERC20/extensions/IERC20Metadata.sol
- src/LotterySetup.sol
@openzeppelin/contracts/token/ERC20/IERC20.sol
@openzeppelin/contracts/token/ERC20/utils/SafeERC20.sol
- src/Lottery.sol
- src/staking/Staking.sol
@openzeppelin/contracts/token/ERC721/ERC721.sol
- src/Ticket.sol
@openzeppelin/contracts/token/ERC721/IERC721.sol
- src/interfaces/ITicket.sol
@openzeppelin/contracts/utils/math/Math.sol

Out of scope

All the contracts under the test and script directories.

Scoping Details

- If you have a public code repo, please share it here:  https://github.com/wenwincom/wenwin-contracts
- How many contracts are in scope?:   13
- Total SLoC for these contracts?:  962
- How many external imports are there?: Open Zeppelin, ChainLink
- How many separate interfaces and struct definitions are there for the contracts within scope?:  11
- Does most of your code generally use composition or inheritance?: We use inheritance for Lottery contract to divide responsibility of the contract.
- How many external calls?: 3
- What is the overall line coverage percentage provided by your tests?:  100
- Is there a need to understand a separate part of the codebase / get context in order to audit this part of the protocol?: false  
- Please describe required context:   n/a
- Does it use an oracle?:  true (ChainLink VRFv2 randomness oracle)
- Does the token conform to the ERC20 standard?:  yes
- Are there any novel or unique curve logic or mathematical models?: None
- Does it use a timelock function?:  Yes (Native token staking implements time lock)
- Is it an NFT?: Yes (Lottery Ticket is an NFT)
- Does it have an AMM?:   No
- Is it a fork of a popular project?:   false
- Does it use rollups?:   false
- Is it multi-chain?:  false
- Does it use a side-chain?: false

Tests

More documentation on testing and lottery mechanics can be found in Wenwin contracts README.

Quickstart command

rm -Rf 2023-03-wenwin || true && git clone https://github.com/code-423n4/2023-03-wenwin.git -j8 --recurse-submodules && cd 2023-03-wenwin && foundryup && forge test --gas-report

Forge tests

To run the tests you need to:

Install Foundry.
Clone the repo using git clone --recurse-submodules.
Run forge test.

Coverage

To generate coverage, run:

bash script/sh/generateCoverageReport.sh

It will open the HTML report in your browser.

Gas report

To get the gas report, run:

forge test --gas-report

Slither

To run Slither, run:

slither .

Echidna

To run Echidna tests in assertion mode, run:

echidna-test . --contract LotteryEchidna --config echidna.assertion.config.yaml

To run Echidna tests in property mode, run:

echidna-test . --contract LotteryEchidnaProperty --config echidna.property.config.yaml