The ScoreBoard smart contract allows players to modify their predictions after a match has concluded and the results are known. This enables players to cheat by adjusting their predictions to match the actual outcomes, thereby manipulating the scoring system and reward distribution.
The setPrediction
function within the ScoreBoard contract lacks a check to determine if a match has already ended before permitting players to change their predictions. This can be exploited as follows:
A player waits for the match results.
If their initial prediction was incorrect, they can call the setPrediction
function to change their prediction to the correct outcome.
This action unfairly increases the player's score, potentially qualifying them for rewards they did not rightfully earn.
Cheating players may receive rewards that should have been awarded to those who made accurate predictions before the match results were known.
Manual Review
To address this vulnerability, the setPrediction
function should be modified to include a match time check. Specifically, players should only be allowed to change their predictions if the current blockchain time (block.timestamp
) is less than the match start time plus a designated time window for prediction changes.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.