In this formulation of the question, both options are equally bad.

Here and there.
If you store only in a radish, then there is a chance that something will go wrong and the radish will lose all the data, because. Still, RAM is not the most reliable place to store data. In this case, the user will enter the correct code, and in response receive a message that the code is incorrect. Then the user will think that the developers are down and the service is full of cal. I speak for myself. It's the most annoying thing that can be. This is from the category of captcha on Yandex, which you come in correctly, and they turn you on a shammur.
Therefore, the radish in this case should act as a cache. If there is no data about the SMS code in the radish, then we go to the muscle to make sure that there is no data about the SMS code in our system.
This is often done with authentication tokens. They write both to the database and to the cache. First climb into the cache. If there is no data in the cache, they run to the database. If there is no data about the token in the database either, the user is sent to the bathhouse. If there is still data in the database, then the user is skipped and the data from the database is entered into the cache in order not to load the subd next time and get the data directly from the radish.