First Flight #20: The Predicter

First Flight #20

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Anyone can call `ThePredicter::makePrediction`, without paying `entranceFee`, regardless of their user status (i.e. approved/cancelled/pending).

appet

Summary

ThePredicter::makePrediction function or its subsequent external calls have no implemented checks for msg.sender to be an approved user to make a prediction as the protocol intended. Additionally, due to the function's public visibility, it could be called externally by anyone making them eligible for reward, even without paying entranceFee, which forms the prize pool - a core functionallity of the protocol.

Vulnerability Details

Due to the lack of check for player (i.e. approved user), anyone can make predictions calling ThePredicter::makePredictionwithout paying entrance fee.

Paste the following code in the test suite:

function test_makePredictionWithoutBeingPlayerAndNoEntranceFee() public {

vm.startPrank(stranger);

vm.warp(1723750000-68401); //Thu Aug 15 2024 00:26:39 GMT+0000 in order to pass the timestamp check - this is a part of another security issue

vm.deal(stranger, 1 ether);

thePredicter.makePrediction{value: 0.0001 ether}(

ScoreBoard.Result.Draw

);

vm.stopPrank();

ScoreBoard.Result prediction = scoreBoard.getPrediction(stranger, 0);

assertEq(uint8(prediction), uint8(ScoreBoard.Result.Draw), "Prediction was not set correctly");

assertEq(stranger.balance, 0.9999 ether);

}

... and the following getter function in ScoreBoard.sol

function getPrediction(address player, uint256 matchNumber) public view returns (Result) {

return playersPredictions[player].predictions[matchNumber];

}

Impact

Making predictions without paying entranceFee by malicious users enables them to participate in the reward distribution and could lead to collecting a part or the whole prize pool without actually participating in the forming of the prize pool, breaking the core logic of the betting protocol.

Tools Used

Foundry, Manual review

Recommendations

Add a check to the ThePredicter::makePrediction function for approved status of the msg.sender

function makePrediction(

uint256 matchNumber,

ScoreBoard.Result prediction

) public payable {

+ if (playersStatus[msg.sender] != Status.Approved) {

+ revert ThePredicter__UnauthorizedAccess();}

if (msg.value != predictionFee) {

revert ThePredicter__IncorrectPredictionFee();

}

Updates

Lead Judging Commences

NightHawK Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

makePrediction lacks access control

makePrediction has no access controls and any unapproved user can make predictions causing an incorrect calculation and distribution of rewards.

Rewards breakdown

nSLOC

191

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.