Description:
Lack of access control in ScoreBoard::setPrediction
allows a malicious player to change other players' predictions even after the result is in.
Impact:
A malicious player can make themselves the winner of the game by making other players lose. Also, this can be used to change their own predictions to make them correct.
Proof of Concept:
Insert the following test into ThePredicter.test.sol
:
Recommended Mitigation:
Make the ScoreBoard::setPrediction
function only callable by ThePredicter::makePrediction
function, which sets predictions only for the player calling the function
setPrediction has no access control and allows manipulation to Players' predictions.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.