First Flight #20: The Predicter
First Flight #20
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Everyone can makePrediction instead of only players

bytesflow007

Summary

Everyone can makePrediction instead of only players

Vulnerability Details

makePrediction function don't check only the player can make prediciton.

Impact

  1. Don't fit the business logic. The doc means only the player can play the game

    makePrediction allows the Players to pay the prediction fee and in the same time to set their prediction for the corresponding match.

  1. The user directly call makePrediction, don't need to deplosit entranceFee, which is the lost for the ThePredicter contract

  2. Beyond 16 players, break the business logic

Tools Used

Manual

Recommendations

  1. add modifer onlyPlayer, only the player can call makePrediction.

error ThePredicter__NonPlayerAccess();
modifier onlyPlayer() {
if (playersStatus[msg.sender] != Status.Approved) {
revert ThePredicter__NonPlayerAccess();
}
_;
}
function makePrediction(
uint256 matchNumber,
ScoreBoard.Result prediction
) public payable onlyPlayer {
if (msg.value != predictionFee) {
revert ThePredicter__IncorrectPredictionFee();
}
if (block.timestamp > START_TIME + matchNumber * 68400 - 68400) {
revert ThePredicter__PredictionsAreClosed();
}
scoreBoard.confirmPredictionPayment(msg.sender, matchNumber);
scoreBoard.setPrediction(msg.sender, matchNumber, prediction);
}
Updates

Lead Judging Commences

NightHawK Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

makePrediction lacks access control

makePrediction has no access controls and any unapproved user can make predictions causing an incorrect calculation and distribution of rewards.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.