Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Invalid

Organizer Manipulation of Contest Outcomes

Summary

The ThePredicter smart contract grants the organizer absolute control over player approvals and fee withdrawals. This centralized authority can be exploited to manipulate contest outcomes and potentially misappropriate player funds.

Vulnerability Details

Unrestricted Player Approval: The approvePlayer function allows the organizer to approve or deny player registrations without any constraints or transparency. This can be abused to:

  • Selectively approve players who are likely to lose, increasing the organizer's chances of winning the contest.

  • Collude with specific players, granting them preferential treatment and unfair advantages.

  • Exclude skilled players or those perceived as a threat, skewing the competition in the organizer's favor.

Unilateral Fee Withdrawal: The withdrawPredictionFees function enables the organizer to withdraw all collected prediction fees without any player consent or oversight. This raises concerns about:

  • Misappropriation of funds: The organizer could potentially pocket the fees without distributing any rewards to the players.

  • Lack of transparency: Players have no visibility into the fee withdrawal process, making it difficult to verify if the funds are being used appropriately.

  • Financial risk: Players are exposed to the risk of losing their prediction fees if the organizer acts dishonestly.

Impact

These vulnerabilities undermine the fairness and integrity of the prediction contest, eroding trust in the platform and potentially causing significant financial harm to players.

Tools Used

Manual code review

Recommendations

To mitigate these vulnerabilities, consider implementing the following changes:

  1. Decentralize Player Approval:

    • Introduce a voting mechanism where players or a trusted committee collectively decide on player approvals.

    • Implement a transparent and auditable approval process, publicly disclosing the criteria and reasoning behind each decision.

  2. Require Consensus for Fee Withdrawal:

    • Implement a multi-signature scheme requiring multiple parties (including player representatives) to authorize fee withdrawals.

    • Establish a clear and transparent fee distribution policy, outlining how the fees will be used to fund rewards and cover operational costs.

    • Provide regular reports to players detailing the collected fees and their allocation.

Updates

Lead Judging Commences

NightHawK Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.