Flawed Time Window Calculation in ThePredicter::makePrediction function Leading to Unexpected Prediction Closures
Summary
The makePrediction function in the ThePredicter contract contains a critical mathematical error in its time calculation. This error results in an incorrectly calculated time window for predictions, potentially allowing predictions when they should be closed or closing them prematurely.
Vulnerability Details
The problematic code is in the makePrediction function
The vulnerability lies in the time calculation: START_TIME + matchNumber * 68400 - 68400
This calculation has two main issues:
The order of operations is incorrect. Multiplication takes precedence over subtraction, so it's
START_TIME + (matchNumber * 68400) - 68400, and its wrongSubtracting 68400 at the end .
Impact
For the first match (matchNumber = 1), the calculation becomes START_TIME + 0, effectively allowing predictions until the start time of the first match.
For subsequent matches, the time window is shifted earlier by one match duration (68400 seconds or 19 hours), potentially closing predictions prematurely.
The integrity of the entire prediction system is compromised, as the timing of predictions is fundamental to fair play.
Tools Used
Manual code review
Recommendations
Correct the mathematical calculation to properly account for the match number and the intended prediction window:
Lead Judging Commences
Match timestamps are incorrect
In both contracts there is a similar error in the computation of the timestamps of the matches.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.