ethereum-games
ethereum-games copied to clipboard
k26dr
Powerball drain all account balance
This issue only happens if there are periods when the powerball contract is not actively used, and if any period like that exists, then I could draw all the account balance(jackpot) from the contract at any later time. Let's says someone deploys the contract, and then initially very few people use it. I as an attacker would submit the same same lottery tickets for every round with number(a1, a2, a3, a4, a5, a6) where those numbers were derived from a blockhash of 0. As the assumption is that very few people use it initially, I would end up with a round where noone called the drawNumber() method.
Few years passed, and the current jackpot is 1.000.000USD, then I call the drawNumber(at this time the blockhash will be 0, so I am getting the winning numbers). I just drew the entire balance of the contract, and all I had to do is buy some ticket at a period that very few people used it. :)
