Summary

The ScoreBoard smart contract lacks a reliable mechanism for verifying prediction payments. This allows the designated thePredicter to confirm payments without actual proof, creating the potential for fraud and manipulation of the system.

Vulnerability Details

The confirmPredictionPayment function in the ScoreBoard contract simply marks a prediction as paid based on a call from thePredicter. There is no requirement for proof of payment, such as a transaction hash or any other form of verification. This can be exploited in the following ways:

1. False Payment Confirmation: The thePredicter could mark predictions as paid even if the players have not actually sent any funds. This could be done to favor certain players or to manipulate the outcome of the prediction contest.

2. Denial of Valid Payments: The thePredicter could refuse to confirm legitimate payments from players, preventing them from participating in the contest or receiving rewards.

Impact

Players who haven't paid could be awarded prizes, while those who have paid legitimately could be denied.

Tools Used

Manual review

Recommendations

Require the thePredicter to provide proof of payment, such as a transaction hash, before confirming a payment. This proof could be stored on-chain for future reference.