Summary

The cancelRegistration function in the ThePredicter contract lacks a crucial check to verify if the player is actually registered for the competition. This oversight allows unregistered users to potentially withdraw funds, leading to financial losses for the contract.

Vulnerability Details

The cancelRegistration function only checks if the player's status is Pending. However, it does not verify if the player exists in the players array, which stores the addresses of approved participants. As a result, an attacker can call this function even if they haven't registered, and if their status is mistakenly set to Pending, they can withdraw the entrance fee.

https://github.com/Cyfrin/2024-07-the-predicter/blob/main/src/ThePredicter.sol#L62-L70

Impact

This vulnerability can be exploited to drain the contract's funds by repeatedly calling cancelRegistration with different addresses that have not registered but have their status set to Pending.

Tools Used

Manual review

Recommendations

Before processing the cancellation, verify if the player's address exists in the players array. If not, the function should revert with an appropriate error message.