CVE-2018-17071
Last modified
CVE-2018-17071 is a vulnerability of currently unknown severity. The fallback function of a simple lottery smart contract implementation for Lucky9io, an Ethereum gambling game, generates a random value with the publicly readable variable entry_number. This variable is private, yet it is readable by eth.getStorageAt function. EPSS estimates a 1.21% chance of exploitation in the next 30 days.
Description
The fallback function of a simple lottery smart contract implementation for Lucky9io, an Ethereum gambling game, generates a random value with the publicly readable variable entry_number. This variable is private, yet it is readable by eth.getStorageAt function. Also, attackers can purchase a ticket at a low price by directly calling the fallback function with small msg.value, because the developer set the currency unit incorrectly. Therefore, it allows attackers to always win and get rewards.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Lucky9 | Lucky9io | All versions |
References
- https://github.com/TEAM-C4B/CVE-LIST/tree/master/CVE-2018-17071Exploit, Third Party Advisory
- https://github.com/TEAM-C4B/CVE-LIST/tree/master/CVE-2018-17071Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2018-17071?
How severe is CVE-2018-17071?
How do I fix CVE-2018-17071?
Are you affected by CVE-2018-17071?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST