First Flight #20: The Predicter

Summary

The setPrediction function in the ScoreBoard contract allows any user to modify predictions for any player. This lack of access control can be exploited by malicious users to alter a player’s prediction and affect their eligibility for rewards, even if the prediction fee has been paid.

Vulnerability Details

The setPrediction function allows anyone to set or alter a player's prediction for a given match. This includes:

1. Unauthorized Prediction Modification: Users who are neither the player nor the ThePredicter contract can modify predictions, including setting them to Pending. This prevents the prediction from being counted towards the player's reward eligibility.

2. Lack of Validation for Existing Predictions: There is no check to verify if the prediction being modified was previously set, which allows malicious actors to tamper with the predictions of other players.

Code Snippet

ScoreBoard.sol contract

Exploit Scenario

1. A player calls makePrediction from the ThePredicter contract, paying the prediction fee and setting the prediction for a specific match number.

2. A malicious user, who is not approved and does not have the Player role, can call setPrediction directly, specifying the legitimate player's address and setting the prediction result to Pending.

3. This action alters the legitimate player’s prediction to Pending, which causes their predictionsCount to be inaccurate, even though they have paid the prediction fee.

4. Consequently, the legitimate player will be ineligible for rewards due to the incorrect predictionsCount.

Tool used

Manual Review

Impact

The unrestricted access to setPrediction allows unauthorized users to alter player predictions, causing incorrect reward calculations. This affects the fairness of the system and could lead to financial loss and decreased trust among participants.

Recommendations

To prevent unauthorized modifications and ensure proper validation, the following changes are recommended:

1. Restrict the setPrediction function so it can only be called by the player themselves or the ThePredicter contract.

   • Modification of Existing Predictions: If the prediction for a given match is not in its default Pending state, it indicates that the player wants to modify their existing prediction. In this case, the function should verify that the caller (msg.sender) is the owner of the prediction (player = msg.sender).

   • Initial Prediction: If the prediction for the given match is in its default Pending state, it indicates that this is the player's first prediction. In this scenario, the function should ensure that the caller is the ThePredicter contract, which is responsible for initial prediction setting.

2. Validation of Predictions: Ensure that predictions are set correctly by checking whether the player has previously made a prediction. When updating a prediction, verify that it was previously set and is not being incorrectly manipulated to Pending. This prevents unauthorized manipulation of predictions to adversely affect a player's eligibility for rewards.