Submission Details
Severity:
`ThePredicter::withdraw()` sends eth to arbitrary user which can be vulnerable to reentrancy attacks. There is also a reentrancy in `ThePredicter::cancelRegistration()`.
Summary
Unprotected call to a function sending Ether to an arbitrary address.
Vulnerability Details
Dangerous calls in ThePredicter::withdraw():
- (success,None) = msg.sender.call{value: reward}() (src/ThePredicter.sol#141)
External calls in ThePredicter::cancelRegistration():
- (success,None) = msg.sender.call{value: entranceFee}() (src/ThePredicter.sol#64)
State variables written after the call(s):
- playersStatus[msg.sender] = Status.Canceled (src/ThePredicter.sol#66)
ThePredicter.playersStatus (src/ThePredicter.sol#24) can be used in cross function reentrancies:
- ThePredicter.approvePlayer(address) (src/ThePredicter.sol#72-83)
- ThePredicter.cancelRegistration() (src/ThePredicter.sol#62-70)
- ThePredicter.playersStatus (src/ThePredicter.sol#24)
- ThePredicter.register() (src/ThePredicter.sol#46-60)
Impact
The means of how the calls are used make the functions vulnerable to reentrancy attacks.
Tools Used
Slither
Recommendations
Ensure that an arbitrary user cannot withdraw unauthorized funds. Use ReentrancyGuard from OpenZeppelin or checks-effects-interactions pattern.
Rewards breakdown
nSLOC
191This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.