CVE-2018-17071

HIGH

Lucky9io - Info Disclosure

Title source: llm

Description

The fallback function of a simple lottery smart contract implementation for Lucky9io, an Ethereum gambling game, generates a random value with the publicly readable variable entry_number. This variable is private, yet it is readable by eth.getStorageAt function. Also, attackers can purchase a ticket at a low price by directly calling the fallback function with small msg.value, because the developer set the currency unit incorrectly. Therefore, it allows attackers to always win and get rewards.

References (1)

[Exploit, Third Party Advisory] https://github.com/TEAM-C4B/CVE-LIST/tree/master/CVE-2018-17071

View Exploit ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0030

EPSS Percentile 53.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-338

Status published

Products (1)

lucky9/lucky9io

Published Sep 18, 2018

Tracked Since Feb 18, 2026