Submission Details
Severity:
Users without approve can make predictions on `ScoreBoard::setPrediction`
Description
Users without approve can make predictions on ScoreBoard::setPrediction
Impact
Users that organizer don't approved can make predictions instead of only approved users.
Proof Of Concept
Add the following code to the test/ThePredicter.test.sol:
function test_OnlyApprovedUsersCanMakePrediction() public {
// setup stranger
vm.deal(stranger, 1 ether);
// register stranger
vm.startPrank(stranger);
thePredicter.register{value: 0.04 ether}();
vm.stopPrank();
// stranger without approve can not make prediction
vm.startPrank(stranger);
vm.expectRevert({
revertData: abi.encodeWithSelector(
ScoreBoard__UnauthorizedAccess.selector
)
});
scoreBoard.setPrediction(msg.sender, 1, ScoreBoard.Result.Second);
vm.stopPrank();
}
Recommended Mitigation
In the ScoreBoard::setPrediction add the import:
// SPDX-License-Identifier: MIT
pragma solidity 0.8.20;
+ import { ThePredicter } from "./ThePredicter.sol";
contract ScoreBoard {
And add the check:
function setPrediction(
address player,
uint256 matchNumber,
Result result
) public {
+ if (ThePredicter(thePredicter).playersStatus(player) != ThePredicter.Status.Approved) {
+ revert ScoreBoard__UnauthorizedAccess();
+ }
if (block.timestamp <= START_TIME + matchNumber * 68400 - 68400)
playersPredictions[player].predictions[matchNumber] = result;
playersPredictions[player].predictionsCount = 0;
for (uint256 i = 0; i < NUM_MATCHES; ++i) {
if (
playersPredictions[player].predictions[i] != Result.Pending &&
playersPredictions[player].isPaid[i]
) ++playersPredictions[player].predictionsCount;
}
}
Rewards breakdown
nSLOC
191This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.