CVE-2018-17071
HIGHLucky9io - Predictable Random Number Generation via Public Storage Variable
Title source: llmDescription
The fallback function of a simple lottery smart contract implementation for Lucky9io, an Ethereum gambling game, generates a random value with the publicly readable variable entry_number. This variable is private, yet it is readable by eth.getStorageAt function. Also, attackers can purchase a ticket at a low price by directly calling the fallback function with small msg.value, because the developer set the currency unit incorrectly. Therefore, it allows attackers to always win and get rewards.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/TEAM-C4B/CVE-LIST/tree/master/CVE-2018-17071
Scores
CVSS v3
7.5
EPSS
0.0121
EPSS Percentile
64.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-338
Status
published
Products (1)
lucky9/lucky9io
Published
Sep 18, 2018
Tracked Since
Feb 18, 2026