First Flight #20: The Predicter
First Flight #20
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Validation Check in `makePrediction` function

yaioxy

Summary

The ThePredicter::makePrediction function lacks a validation check for the matchNumber parameter. Users can potentially enter a wrong match number, and lose funds.

Vulnerability Details

The makePrediction function does not validate if the matchNumber is within the valid range (0 to 8). This allows users to pay the prediction fee for invalid match numbers, thinking they have already predicted since the state playersPredictions[player].isPaid[matchNumber] will be true. But the number do not correspond to any actual match, leading to unnecessary expenditure.

Impact

Users can accidentally pay the prediction fee for invalid match numbers, causing them to lose money without recording their prediction.

Tools Used

Manual Review

Recommendations

Implement a validation check to ensure that the matchNumber is within the valid range (0 to 8).

function makePrediction(
uint256 matchNumber,
ScoreBoard.Result prediction
) public payable {
if (msg.value != predictionFee) {
revert ThePredicter__IncorrectPredictionFee();
}
+ if (matchNumber < 0 || matchNumber > 8) {
+ revert("Invalid match number");
+ }
if (block.timestamp > START_TIME + matchNumber * 68400 - 68400) {
revert ThePredicter__PredictionsAreClosed();
}
scoreBoard.confirmPredictionPayment(msg.sender, matchNumber);
scoreBoard.setPrediction(msg.sender, matchNumber, prediction);
}
Updates

Lead Judging Commences

NightHawK Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.