First Flight #20: The Predicter

First Flight #20

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Off by one validation error in `ScoreBoard.isEligibleForReward` prevents players with one correct prediction to claim rewards

artilugio0

Summary

If a player makes exactly one correct prediction and no other prediction, it should be eligible for rewards, because it will have a positive score. However the function ScoreBoard.isEligibleForReward will return false for that player, preventing them from withdrawing their rewards.

Vulnerability Details

The function isEligibleForReward has an off by one error which prevents users with a single correct prediction to withdraw ther rewards.

In the following code, the boolean expression after the && should use a number 0 instead of a 1.

function isEligibleForReward(address player) public view returns (bool) {

return

results[NUM_MATCHES - 1] != Result.Pending &&

playersPredictions[player].predictionsCount > 1;

}

The following PoC shows a possible scenario where a user will not be able to withdraw their corresponding reward:

pragma solidity ^0.8.13;

import {Test, console} from "forge-std/Test.sol";

import {Strings} from "@openzeppelin/contracts/utils/Strings.sol";

import {ThePredicter} from "../src/ThePredicter.sol";

import {ScoreBoard} from "../src/ScoreBoard.sol";

contract IsElegibleForRewardOffByOneTest is Test {

ThePredicter public thePredicter;

ScoreBoard public scoreBoard;

address public organizer = makeAddr("organizer");

address public stranger = makeAddr("stranger");

function setUp() public {

vm.startPrank(organizer);

scoreBoard = new ScoreBoard();

thePredicter = new ThePredicter(

address(scoreBoard),

0.04 ether,

0.0001 ether

);

scoreBoard.setThePredicter(address(thePredicter));

vm.stopPrank();

}

function test_multipleRegistrationLeadsToIncorrectRewardsDistribution() public {

address stranger2 = makeAddr("stranger2");

vm.startPrank(stranger);

vm.deal(stranger, 1 ether);

thePredicter.register{value: 0.04 ether}();

vm.stopPrank();

vm.startPrank(stranger2);

vm.deal(stranger2, 1 ether);

thePredicter.register{value: 0.04 ether}();

vm.stopPrank();

vm.startPrank(organizer);

thePredicter.approvePlayer(stranger);

thePredicter.approvePlayer(stranger2);

vm.stopPrank();

// make predictions

// stranger makes exactly 1 correct prediction

vm.startPrank(stranger);

thePredicter.makePrediction{value: 0.0001 ether}(

ScoreBoard.Result.First

);

vm.stopPrank();

// stranger 2 makes 2 predictions

vm.startPrank(stranger2);

thePredicter.makePrediction{value: 0.0001 ether}(

ScoreBoard.Result.Draw

);

thePredicter.makePrediction{value: 0.0001 ether}(

ScoreBoard.Result.First

);

vm.stopPrank();

vm.startPrank(organizer);

scoreBoard.setResult(0, ScoreBoard.Result.First);

scoreBoard.setResult(1, ScoreBoard.Result.First);

scoreBoard.setResult(2, ScoreBoard.Result.First);

scoreBoard.setResult(3, ScoreBoard.Result.First);

scoreBoard.setResult(4, ScoreBoard.Result.First);

scoreBoard.setResult(5, ScoreBoard.Result.First);

scoreBoard.setResult(6, ScoreBoard.Result.First);

scoreBoard.setResult(7, ScoreBoard.Result.First);

scoreBoard.setResult(8, ScoreBoard.Result.First);

vm.stopPrank();

vm.startPrank(organizer);

thePredicter.withdrawPredictionFees();

vm.stopPrank();

// stranger shoud be elegible for rewards because it

// has a positive score

assertGt(scoreBoard.getPlayerScore(stranger), 0);

// but isEligibleForReward returns false

assertFalse(scoreBoard.isEligibleForReward(stranger));

// trying to withdraw as stranger reverts

vm.startPrank(stranger);

vm.expectRevert();

thePredicter.withdraw();

vm.stopPrank();

}

Impact

Some users might not be able to withdraw their rewards

Tools Used

Foundry

Recommendations

In the following code, the boolean expression after the && should use a number 0 instead of a 1.

function isEligibleForReward(address player) public view returns (bool) {

return

results[NUM_MATCHES - 1] != Result.Pending &&

playersPredictions[player].predictionsCount > 1;

}

Fixed code:

function isEligibleForReward(address player) public view returns (bool) {

return

results[NUM_MATCHES - 1] != Result.Pending &&

playersPredictions[player].predictionsCount > 0;

}

Updates

Lead Judging Commences

NightHawK Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

The eligibility criteria is wrong

Players with only one prediction cannot withdraw.

Rewards breakdown

nSLOC

191

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.