ScoreBoard - Post-Match Prediction Changes
Summary
The ScoreBoard smart contract allows players to modify their predictions after a match has concluded and the results are known. This enables players to cheat by adjusting their predictions to match the actual outcomes, thereby manipulating the scoring system and reward distribution.
Vulnerability Details
The setPrediction function within the ScoreBoard contract lacks a check to determine if a match has already ended before permitting players to change their predictions. This can be exploited as follows:
A player waits for the match results.
If their initial prediction was incorrect, they can call the
setPredictionfunction to change their prediction to the correct outcome.This action unfairly increases the player's score, potentially qualifying them for rewards they did not rightfully earn.
Impact
Cheating players may receive rewards that should have been awarded to those who made accurate predictions before the match results were known.
Tools Used
Manual Review
Recommendations
To address this vulnerability, the setPrediction function should be modified to include a match time check. Specifically, players should only be allowed to change their predictions if the current blockchain time (block.timestamp) is less than the match start time plus a designated time window for prediction changes.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.