Centralization risk on `ScoreBoard::setResult` as result was specified by single person, potential single point of failure if result was input wrongly or being manipulated
Summary
The match result was entered through ScoreBoard::setResult in a relatively loose condition by single party, the owner, creating a centralization risk if the result was not entered correctly or being manipulated with results inclined to owner's favorism
Vulnerability Details
ScoreBoard::setResult was used to enter the match result which will affect all players' reward calculation. The result entry was done in a centralized manner with only the owner has the right to input the result and in a simple loose condition
The result entry was done loose without any time control or any further verification. There's also no function that allows players to check the result entries for any match of their interest apart from just being able to call the function ScoreBoard::getPlayerScore which cumulates the score for all matches without breaking down the results/scores for each match. If result in any match was wrongly input by owner, there's no way for players to know exactly which result was not correctly entered or has been compromised/manipulated.
Impact
The result could be entered wrongly or being manipulated affecting all players' reward calculation
Tools Used
Manual review
Recommendations
The centrality concern can be reduced by implementing either of the followings:
Time control on result entry
Second level verification check
Emit an event which enables the display of results entered by owner for each match in application front-end
Add new function that enables players to check the results entered by owner to increase transparency and mitigate the centrality control over the results.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.