Description
Users without approve can make predictions on ScoreBoard::setPrediction
Impact
Users that organizer don't approved can make predictions instead of only approved users.
Proof Of Concept
Add the following code to the test/ThePredicter.test.sol
:
function test_OnlyApprovedUsersCanMakePrediction() public {
vm.deal(stranger, 1 ether);
vm.startPrank(stranger);
thePredicter.register{value: 0.04 ether}();
vm.stopPrank();
vm.startPrank(stranger);
vm.expectRevert({
revertData: abi.encodeWithSelector(
ScoreBoard__UnauthorizedAccess.selector
)
});
scoreBoard.setPrediction(msg.sender, 1, ScoreBoard.Result.Second);
vm.stopPrank();
}
Recommended Mitigation
In the ScoreBoard::setPrediction
add the import:
// SPDX-License-Identifier: MIT
pragma solidity 0.8.20;
+ import { ThePredicter } from "./ThePredicter.sol";
contract ScoreBoard {
And add the check:
function setPrediction(
address player,
uint256 matchNumber,
Result result
) public {
+ if (ThePredicter(thePredicter).playersStatus(player) != ThePredicter.Status.Approved) {
+ revert ScoreBoard__UnauthorizedAccess();
+ }
if (block.timestamp <= START_TIME + matchNumber * 68400 - 68400)
playersPredictions[player].predictions[matchNumber] = result;
playersPredictions[player].predictionsCount = 0;
for (uint256 i = 0; i < NUM_MATCHES; ++i) {
if (
playersPredictions[player].predictions[i] != Result.Pending &&
playersPredictions[player].isPaid[i]
) ++playersPredictions[player].predictionsCount;
}
}