Created
September 5, 2018 13:39
-
-
Save willianmano/eac9b24ff9df04cce88465f485a8fdbc to your computer and use it in GitHub Desktop.
A Lottery Solidity Smart Contract
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pragma solidity ^0.4.21; | |
contract Lottery { | |
address public manager; | |
address[] public players; | |
constructor() public { | |
manager = msg.sender; | |
} | |
function enter() public payable { | |
require(msg.value > .01 ether); | |
players.push(msg.sender); | |
} | |
function random() private view returns (uint) { | |
return uint(keccak256(abi.encodePacked(block.difficulty, now, players))); | |
} | |
function pickWinner() public restricted { | |
uint index = random() % players.length; | |
players[index].transfer(address(this).balance); | |
players = new address[](0); | |
} | |
function getPlayers() public view returns (address[]) { | |
return players; | |
} | |
modifier restricted() { | |
require(msg.sender == manager); | |
_; | |
} | |
} |
I think there is a backdoor, the 'manager' (who deploy the contract) can figure out the winnning number by invoking the pickWinner function, the 'manager' can then bet on the winning number.
Note: The called function should be payable if you send value and the value you send should be less than your current balance.
Debug the transaction to get more information?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@kiknaio why is that a security issue though? Deploying a new instance of the contract will reset the state to its default values. This means that the players array will be filled with different addresses so even if you determine the calculated index, the mapped picked address on the original contract would be different to the one of the new one. If you want to add an extra layer of security, can't you just make the players internal or private so its contents won't be visible to the outside world?