CVE-2018-17071

Name of the Vulnerable Software and Affected Versions Lucky9io (affected versions not specified)

Description The issue concerns a simple lottery smart contract implementation for Lucky9io, an Ethereum gambling game. It allows attackers to always win and get rewards due to a couple of flaws. Firstly, the entry number variable, which is intended to be private, can be read using the eth.getStorageAt function. Secondly, attackers can purchase a ticket at a low price by directly calling the fallback function with a small msg.value, because the developer incorrectly set the currency unit. This enables attackers to exploit the system.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.