This is the report from a security audit performed on Lottereum by gorbunovperm.
In total, 5 issues were reported including:
-
3 high severity issue.
-
0 medium severity issues.
-
2 low severity issues.
-
0 minor observations.
It is possible to re-approve attack. More details here
The approval of a new amount must be made only when allowance is 0.
transferOwnership function doesn't have zero address check. And if the parameters of this function will not be added then owners rights will be transfered to 0x0 address.
Use require(newOwner != address(0)).
if (amountOfTicketsForEthereumLotteryPurchased == 1000)
playLotteryByEthereum();The lottery will blocked when buying a 1000th ticket and while the administrator does not call playLotteryBy... function it will be impossible to purchase new tickets. The reason is that playLotteryByEthereum and playLotteryByToken functions may be called only by admin or owner.
Mark this functions as internal. And make another functions like startLotteryByTokenManually with onlyAdministrator rights.
function addParticipiant(address partAddress, LotteryType typeLot) {
if(typeLot == LotteryType.Token) {
if(numPartToken == participientsTokenLottery.length) {
participientsTokenLottery.length += 1;
}
participientsTokenLottery[numPartToken++] = partAddress;
}
if(typeLot == LotteryType.Ethereum) {
if(numPartEthereum == participientsEthereumLottery.length) {
participientsEthereumLottery.length += 1;
}
participientsEthereumLottery[numPartEthereum++] = partAddress;
}
}addParticipiant function is called from participateInTokenLottery with preliminary checks and commission paying. But also this function may be called by anyone.
Mark addParticipiant function as internal.
Rules for determining winners are very unsafe. The number of the last ticket is possible to view in storage. An attacker can buy a ticket at the right time and become a winner.
Look at here.
Several serious vulnerabilities have been found and further audit of the contract is terminated. It is necessary to fix it.