First Flight #20: The Predicter

First Flight #20

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Organizer Can Withdraw Entrance Fees for Non-Approved Players

n3smaro

Summary

The withdrawPredictionFees function in the ThePredicter contract allows the organizer to withdraw the balance of the contract, including entrance fees paid by users who are not yet approved as players. This can lead to unauthorized withdrawal of funds that should be refundable to non-approved users.

Vulnerability Details

The withdrawPredictionFees function calculates the withdrawable amount by subtracting the total entrance fees for approved players from the contract balance:uint256 fees = address(this).balance - players.length * entranceFee;

However, this calculation does not consider that Users who have paid the entrance fee but have not been approved as players are entitled to a refund if they cancel their registration. The current implementation does not account for these refunds, potentially allowing the organizer to withdraw these fees improperly.

Code Snippet

ThePredicter.sol contract

function withdrawPredictionFees() public {

if (msg.sender != organizer) {

revert ThePredicter__NotEligibleForWithdraw();

}

uint256 fees = address(this).balance - players.length * entranceFee;

(bool success, ) = msg.sender.call{value: fees}("");

require(success, "Failed to withdraw");

}

Tool used

Manual Review

Impact

The issues in this function lead to:

Unauthorized Withdrawal: The organizer could withdraw entrance fees paid by users who are not yet approved as players, violating the intended refund policy.
Financial Mismanagement: Without accurate tracking of entrance fees and refunds, the contract could mismanage funds, leading to unfair treatment of users and potential financial loss.

Recommendations

Track Total Entrance Fees: Introduce a variable to keep track of the total entrance fees collected. This should be updated with each registration and adjusted when a registration is canceled.
Implement Refund Tracking: Maintain a record of entrance fees for each user and adjust the total refundable amount accordingly. This ensures that only the correct amount of prediction fees can be withdrawn, and entrance fees for non-approved users can be refunded if needed.
Update Withdraw Logic: Modify the withdrawPredictionFees function to account for entrance fees of non-approved players, ensuring that these funds are not incorrectly included in the withdrawable amount.

Updates

Lead Judging Commences

NightHawK Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

Wrong computation in withdrawPredictionFees

withdrawPredictionFees incorrectly computes the value to be transferred to the organizer, which leads to pending players not being able to cancel their registration, approved players not being able to claim their rewards and other errors.

Rewards breakdown

nSLOC

191

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.