ID CVE-2018-12454
Summary The _addguess function of a simplelottery smart contract implementation for 1000 Guess, an Ethereum gambling game, generates a random value with publicly readable variables such as the current block information and a private variable (which can be read with a getStorageAt call). Therefore, it allows attackers to always win and get rewards.
References
Vulnerable Configurations
  • cpe:2.3:a:1000guess:1000_guess:-:*:*:*:*:*:*:*
    cpe:2.3:a:1000guess:1000_guess:-:*:*:*:*:*:*:*
CVSS
Base: 5.0 (as of 14-08-2018 - 17:44)
Impact:
Exploitability:
CWE CWE-338
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:N/A:N
refmap via4
misc https://medium.com/@jonghyk.song/attack-on-pseudo-random-number-generator-prng-used-in-1000-guess-an-ethereum-lottery-game-7b76655f953d
Last major update 14-08-2018 - 17:44
Published 17-06-2018 - 12:29
Last modified 14-08-2018 - 17:44
Back to Top