First Flight #20: The Predicter

First Flight #20

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Invalid

Unrestricted Modification of Match Results by Contract Owner

n3smaro

Summary

The setResult function in the ScoreBoard contract allows the contract owner to set or modify the match results without any constraints. This lack of restrictions can lead to potential exploitation where the match results can be tampered with at any time, undermining the integrity of the betting system.

Vulnerability Details

The setResult function is designed to set the result of a match based on the matchNumber and result parameters provided by the contract owner. However, there are several critical issues with the current implementation:

No Value Verification: There is no validation to ensure that the result parameter is a valid result and not the default Pending value.
Unrestricted Timing: The function can be called at any time, allowing the owner to modify the results both before and after the match end date. This means the owner can prematurely set the result before the match has concluded or alter the results after they have been initially set.
Multiple Modifications: The function does not prevent the owner from modifying the result of a match multiple times, which could lead to manipulation of the outcome.

Code Snippet

ScoreBoard.sol contract

function setResult(uint256 matchNumber, Result result) public onlyOwner {

results\[matchNumber] = result;

}

Tool used

Manual Review

Impact

The ability to modify match results at any time poses a significant risk to the fairness and transparency of the betting system. This vulnerability can be exploited by a malicious owner to alter match results in their favor, potentially leading to financial losses for honest participants and undermining the credibility of the system.

Recommendations

To mitigate this issue, the following changes should be implemented:

Result Validation: Ensure that the result parameter is validated and cannot be set to the Pending state once the match has concluded.
Single Modification: Implement a mechanism to ensure that the result of a match can only be set once and cannot be modified thereafter.
Timing Constraints: Introduce time-based restrictions to ensure that the result can only be set after the match has concluded and within a reasonable time frame.

Updates

Lead Judging Commences

NightHawK Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

191

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.