Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Invalid

ScoreBoard - Post-Match Prediction Changes

Summary

The ScoreBoard smart contract allows players to modify their predictions after a match has concluded and the results are known. This enables players to cheat by adjusting their predictions to match the actual outcomes, thereby manipulating the scoring system and reward distribution.

Vulnerability Details

The setPrediction function within the ScoreBoard contract lacks a check to determine if a match has already ended before permitting players to change their predictions. This can be exploited as follows:

  1. A player waits for the match results.

  2. If their initial prediction was incorrect, they can call the setPrediction function to change their prediction to the correct outcome.

  3. This action unfairly increases the player's score, potentially qualifying them for rewards they did not rightfully earn.

Impact

Cheating players may receive rewards that should have been awarded to those who made accurate predictions before the match results were known.

Tools Used

Manual Review

Recommendations

To address this vulnerability, the setPrediction function should be modified to include a match time check. Specifically, players should only be allowed to change their predictions if the current blockchain time (block.timestamp) is less than the match start time plus a designated time window for prediction changes.

function setPrediction(
address player,
uint256 matchNumber,
Result result
) public {
require(block.timestamp < START_TIME + matchNumber * 68400, "Match has already started"); // Add match time check
playersPredictions[player].predictions[matchNumber] = result;
// ... (rest of the function)
}
Updates

Lead Judging Commences

NightHawK Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.