First Flight #20: The Predicter

First Flight #20

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Player with 1 paid prediction is not eligible for reward

soupy

Summary

Player with at least 1 paid prediction shall be eligible for reward. However, in ScoreBoard::isEligibleForReward, the function was found wrongly implemented the condition that disabled player with 1 paid prediction from getting his reward.

Vulnerability Details

According to the rules specified, player can receive an amount from the prize fund only if their total number of points is a positive number and if they had paid at least one prediction fee. However, function ScoreBoard::isEligibleForReward implemented condition that requires player to have more than 1 paid prediction for reward eligibility.

Proof of Concept:
Add the following test to test/ThePredicter.test.sol :

function testPlayerWithOnePaidPredictionIsEligibleForReward() public {

address player = makeAddr("Player");

vm.deal(player, 1 ether);

vm.prank(player);

thePredicter.register{value: 0.04 ether}();

vm.prank(organizer);

thePredicter.approvePlayer(player);

// player makes 1 paid prediction

vm.prank(player);

thePredicter.makePrediction{value: 0.0001 ether}(0, ScoreBoard.Result.Second);

vm.startPrank(organizer);

for (uint256 i; i < 9; i++) {

scoreBoard.setResult(i, ScoreBoard.Result.Second);

}

vm.stopPrank();

vm.prank(player);

bool eligible = scoreBoard.isEligibleForReward(player);

assert(eligible == true);

}

The test above will fail indicating that scoreBoard.isEligibleForReward has wrong implementation. However, if the condition imposed rectified as in the recommendation section below, a rerun of the same test will pass.

Impact

Player with one paid prediction is not eligible for reward redemption

Tools Used

Manual review

Recommendations

Make correction on the condition as below:

function isEligibleForReward(address player) public view returns (bool) {

return

results[NUM_MATCHES - 1] != Result.Pending &&

- playersPredictions[player].predictionsCount > 1;

+ playersPredictions[player].predictionsCount > 0;

}

Updates

Lead Judging Commences

NightHawK Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

The eligibility criteria is wrong

Players with only one prediction cannot withdraw.

Rewards breakdown

nSLOC

191

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.