First Flight #20: The Predicter

Summary

During unlikely circumstances, it might be possible for players to make predictions using the function ThePredicter.makePrediction during a match or even after a match has finished.

Vulnerability Details

Although the function ThePredicter.makePrediction has validations in place to prevent players to make predictions during or after a match, according to Arbitrum's documentation (https://docs.arbitrum.io/build-decentralized-apps/arbitrum-vs-ethereum/block-numbers-and-time#block-timestamps-arbitrum-vs-ethereum), although unlikely, there is a chance that the block.timestamp could have a deviation up to 24 hours in the past. Meaning that there is a chance that users might be able to make predictions on ongoing matches, or matches that have already finished and whose results are already known.

The same issue is present in Scoreboard.setPrediction function.

Impact

• Players could make predictions for ongoing or already finished matches.

Tools Used

Recommendations

• Add a function only available to the organizer that makes a state change in the contract to prevent further predictions to be made for a specific match. The function ThePredicter.makePrediction would have to check that state to allow a player to make a prediction. The organizer would only use the new function in case the block.timestamp deviation with the actual time is found to be significant.

• Make a similar change for Scoreboard.setPrediction function, which is affected as well.

• Alternatively, consider using block.number instead of block.timestamp which might be more reliable.