This issue only happens if there are periods when the powerball contract is not actively used, and if any period like that exists, then I could draw all the account balance(jackpot) from the contract at any later time. Let's says someone deploys the contract, and then initially very few people use it. I as an attacker would submit the same same lottery tickets for every round with number(a1, a2, a3, a4, a5, a6) where those numbers were derived from a blockhash of 0. As the assumption is that very few people use it initially, I would end up with a round where noone called the drawNumber() method.
Few years passed, and the current jackpot is 1.000.000USD, then I call the drawNumber(at this time the blockhash will be 0, so I am getting the winning numbers). I just drew the entire balance of the contract, and all I had to do is buy some ticket at a period that very few people used it. :)
This issue only happens if there are periods when the powerball contract is not actively used, and if any period like that exists, then I could draw all the account balance(jackpot) from the contract at any later time. Let's says someone deploys the contract, and then initially very few people use it. I as an attacker would submit the same same lottery tickets for every round with number(a1, a2, a3, a4, a5, a6) where those numbers were derived from a blockhash of 0. As the assumption is that very few people use it initially, I would end up with a round where noone called the drawNumber() method.
Few years passed, and the current jackpot is 1.000.000USD, then I call the drawNumber(at this time the blockhash will be 0, so I am getting the winning numbers). I just drew the entire balance of the contract, and all I had to do is buy some ticket at a period that very few people used it. :)