Vulnerabilities > CVE-2018-17071 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Lucky9 Lucky9Io

CVSS 5.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

NONE

Availability impact

NONE

network

low complexity

lucky9

CWE-338

NVD

Published: 2018-09-18

Updated: 2018-12-10

Summary

The fallback function of a simple lottery smart contract implementation for Lucky9io, an Ethereum gambling game, generates a random value with the publicly readable variable entry_number. This variable is private, yet it is readable by eth.getStorageAt function. Also, attackers can purchase a ticket at a low price by directly calling the fallback function with small msg.value, because the developer set the currency unit incorrectly. Therefore, it allows attackers to always win and get rewards.

Vulnerable Configurations

Part	Description	Count
Application	Lucky9 Lucky9 Lucky9Io -	1

Common Weakness Enumeration (CWE)

CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

References

https://github.com/TEAM-C4B/CVE-LIST/tree/master/CVE-2018-17071