Ticket ownership can be overwritten due to incorrect logic in NexumManager::buyTickets
Sequential ticket assignment in buyTickets does not check existing ownership, allowing tickets purchased via buySpecificTickets at high indices to be silently overwritten.
Description
The contract supports two ticket purchase flows: NexumManager::buySpecificTickets enforces a user-selects-ticket-number system, and NexumManager::buyTickets enforces a sequential assignment process. Because NexumManager::buyTickets assigns tickets based on round.ticketsSold without checking if ticketOwner[productId][roundId][ticketNumber] is already set, a ticket previously bought at a high index via NexumManager::buySpecificTickets can later be overwritten by sequential purchases. This allows an attacker to steal ticket ownership and potentially win jackpots or instant rewards tied to that ticket.
Vulnerable Scenario:
The following steps help understand the issue:
- Victim buys a high index ticket using
NexumManager::buySpecificTickets, ticket #50. ticketOwner[productId][roundId][50]is set to the victim.round.ticketsSoldis still low (only 40 sold) becausebuySpecificTicketspurchases do not depend on index order.- Ticket purchases continue as normal with calls to
NexumManager::buyTickets, which assigns tickets sequentially:
uint256 ticketNumber = round.ticketsSold;ticketOwner[productId][roundId][ticketNumber] = msg.sender;round.ticketsSold++;
When round.ticketsSold reaches 49, an attacker can call NexumManager::buyTickets and overwrite:
ticketOwner[productId][roundId][50]
If ticket #50 is selected as a winner, the attacker receives the payout instead of the victim.
Impact
- Silent theft of ticket ownership.
- Attacker can get rewards meant for another user.
- Loss of trust.
Recommendation
Prevent overwriting of tickets in NexumManager::buyTickets.
Resolution
Nexalo: Fixed.
Zealynx: Verified. Fixed.
