Submission Details
Severity:
No check to ensure that a player is authorized to make a prediction.
Summary The makePrediction function doesn't check if a user is approved before allowing them to make a prediction. Implyng more than thirty persons and anyone can make a prediction.
Vulnerability Details
// SPDX-License-Identifier: MIT
import "forge-std/Test.sol";
import "../src/ThePredicter.sol";
import "../src/ScoreBoard.sol";
contract ThePredicterTest is Test {
ThePredicter public thePredicter;
ScoreBoard public scoreBoard;
address public owner = address(1);
address public player = address(2);
uint256 public predictionFee = 0.01 ether;
uint256 public entranceFee = 0.04 ether;
uint256 public START_TIME = 1723752000; // Example START_TIME: August 15, 2024, 20:00:00 UTC
function setUp() public {
vm.deal(owner, 1 ether);
vm.deal(player, 1 ether);
vm.startPrank(owner);
scoreBoard = new ScoreBoard();
thePredicter = new ThePredicter(address(scoreBoard), entranceFee, predictionFee);
// Register the player but do not approve them
thePredicter.register{value: entranceFee}();
vm.stopPrank();
}
function testUnapprovedPlayerCannotPredict() public {
vm.startPrank(player);
// Attempt to make a prediction
vm.expectRevert(ThePredicter__UnauthorizedAccess.selector);
thePredicter.makePrediction{value: predictionFee}(0, ScoreBoard.Result.Win);
vm.stopPrank();
}
}
Impact
Unauthorized users can make predictions, potentially compromising the integrity of the prediction system.
Tools Used
manual review
Recommendations
Add a check to verify that the player is authorized to make a prediction before confirming payment and setting the prediction.
function makePrediction(
uint256 matchNumber,
ScoreBoard.Result prediction
) public payable {
if (msg.value != predictionFee) {
revert ThePredicter__IncorrectPredictionFee();
}
if (block.timestamp > START_TIME + matchNumber * 86400 - 3600) {
revert ThePredicter__PredictionsAreClosed();
}
if (playersStatus[msg.sender] != Status.Approved) {
revert ThePredicter__UnauthorizedAccess();
}
scoreBoard.confirmPredictionPayment(msg.sender, matchNumber);
scoreBoard.setPrediction(msg.sender, matchNumber, prediction);
emit PredictionMade(msg.sender, matchNumber, prediction);
}
event PredictionMade(address indexed player, uint256 matchNumber, ScoreBoard.Result prediction);
Updates
Lead Judging Commences
NightHawK about 1 year ago
Submission Judgement Published Assigned finding tags:
setPrediction lacks access control
setPrediction has no access control and allows manipulation to Players' predictions.
Rewards breakdown
nSLOC
191This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.