BriVault
First Flight #52
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Centralized winner selection by owner

mahimachauhan7

Root + Impact: The owner passes countryIndex to declare the winner leads to a centralization risk.

Description

  • According to the protocol’s design, the contract owner is responsible for selecting the winner.
    This introduces centralization in the lottery system and gives the owner complete control over winner selection.

@> function setWinner(uint256 countryIndex) public onlyOwner returns (string memory) {
if (block.timestamp <= eventEndDate) {
revert eventNotEnded();
}
require(countryIndex < teams.length, "Invalid country index");
if (_setWinner) {
revert WinnerAlreadySet();
}
winnerCountryId = countryIndex;
winner = teams[countryIndex];
_setWinner = true;
_getWinnerShares();
_setFinallizedVaultBalance();
emit WinnerSet (winner);
return winner;
@>}

Risk: High

Likelihood:

  • Every time the Owner selects the winner.

Impact:

  • There is no on-chain randomness, nor a verifiable proof of fairness exists.

  • The owner can manipulate results or front-run participants.

Proof of Concept

@> function setWinner(uint256 countryIndex) public onlyOwner returns (string memory) {}
// onlyOwner can setWinner with the given countryIndex

Recommended Mitigation:

If fairness and decentralization are desired, replace manual owner-based selection with verifiable randomness, e.g.:

  • Chainlink VRF (v2/v3) for secure, unbiased randomness.

  • Commit–Reveal Scheme using participant entropy.

- remove this code
+ add this code
Updates

Appeal created

bube Lead Judge 19 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

The winner is set by the owner

This is owner action and the owner is assumed to be trusted and to provide correct input arguments.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!