k26dr / ethereum-games Goto Github PK
View Code? Open in Web Editor NEWThe official code repo for the book Building Games with Ethereum Smart Contracts
The official code repo for the book Building Games with Ethereum Smart Contracts
Couldn't find an email to report this to, but what happens in this scenario:
var numbers = [[1,1,1,1,1,1]];
lottery.buy(numbers, { from: accounts[0], value: 2e15 });
AFAICT the code doesn't check if numbers provided are unique, so it's much easier to guess the numbers, and jackpot chances are ~1 in 69 or even better :)
This issue only happens if there are periods when the powerball contract is not actively used, and if any period like that exists, then I could draw all the account balance(jackpot) from the contract at any later time. Let's says someone deploys the contract, and then initially very few people use it. I as an attacker would submit the same same lottery tickets for every round with number(a1, a2, a3, a4, a5, a6) where those numbers were derived from a blockhash of 0. As the assumption is that very few people use it initially, I would end up with a round where noone called the drawNumber() method.
Few years passed, and the current jackpot is 1.000.000USD, then I call the drawNumber(at this time the blockhash will be 0, so I am getting the winning numbers). I just drew the entire balance of the contract, and all I had to do is buy some ticket at a period that very few people used it. :)
Hey man, very nice project!
I am learning solidity and trying to implement some knowledge in a personal project.
Your powerball code is amazing and it is kind like something I am trying to learn.
Can you tell me how it works?
I trying to test it using remix.
But when i choose the numbers i have this error
"transact to Powerball.buy errored: Error encoding arguments: Error: types/values length mismatch (count={"types":1,"values":4}, value={"types":["uint256[6][]"],"values":["",",2,",",4,",",6"]}, code=INVALID_ARGUMENT, version=abi/5.1.2)"
And I don't know what to do :(
Thanks man
I think there is problem with that RNGLottery contract. If I am an attacker, I can have 3 addresses and buy 3 different lottery tickets. During the reveal phase I can influence the 'seed' calculation by choosing which one of my 3 commitments I want to reveal (and hence influence make myself the winner). Maybe I chose not to reveal 1 of my commitments, so one of my 2 other tickets can win.
If I buy n lottery tickets and I also observer the node's transaction pool (in order to decide which of the n commitments to reveal), then I will have 2n-1 ways to manipulate the final seed value and still have at least 1 valid lottery ticket. That is a much higher chance than someone buying n tickets and not trying to manipulate the seed value.
To carry out this attack I would either have to:
Although attack number 2 is hard to carry out, number 1 seems easy enough. Most mining clients order transactions in the block deterministically, so as long as I can predict which other reveal transactions from other players end up in the last block of the reveal phase, I would be able to manipulate the seed value.
Can you find it? The first user who can point to a transaction that exploits the flaw will receive a 0.1 ether reward. Attack away :)
I think there are 2 smaller problems with this contract:
it seems you allow 38 different numbers, but a roulette only has 37 numbers:
ethereum-games/contracts/Gambling.sol
Line 114 in 3128272
you don't have any checks on the type of the bet here:
ethereum-games/contracts/Gambling.sol
Line 113 in 3128272
however you do check the type here:
ethereum-games/contracts/Gambling.sol
Line 133 in 3128272
this can cause bets accidentally submitted invalid BetTypes like 3 or 4 to be permanently stuck
Anyway, it was a great book overal, thank you!
If you'd like to create your own prize puzzle, deploy it to the mainnet then paste a link to the Etherscan page here. The link to the first prize puzzle detailed in the book along with the question is below.
What is the sum of the first 1 million primes?
https://etherscan.io/address/0x73388dc2f89777cbdf53e5352f516cd703d070a6
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.