PT-2018-11185 · Ethereum · Simplelottery Smart Contract

Published

2018-06-17

Updated

2018-08-14

CVE-2018-12454

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Name of the Vulnerable Software and Affected Versions simplelottery smart contract implementation for 1000 Guess (affected versions not specified)

Description The issue concerns the addguess function of the simplelottery smart contract implementation, which is used in the 1000 Guess Ethereum gambling game. This function generates a random value using publicly readable variables, such as the current block information, and a private variable that can be accessed through a getStorageAt call. As a result, attackers can predict the outcome and always win, allowing them to claim rewards.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-338

Related Identifiers

CVE-2018-12454

Affected Products

Simplelottery Smart Contract

PT-2018-11185 · Ethereum · Simplelottery Smart Contract

CVE-2018-12454

Weakness Enumeration

Related Identifiers

Affected Products

References · 4