First Flight #20: The Predicter

First Flight #20

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Organizer Manipulation of Contest Outcomes

kevinkkien

Summary

The ThePredicter smart contract grants the organizer absolute control over player approvals and fee withdrawals. This centralized authority can be exploited to manipulate contest outcomes and potentially misappropriate player funds.

Vulnerability Details

Unrestricted Player Approval: The approvePlayer function allows the organizer to approve or deny player registrations without any constraints or transparency. This can be abused to:

Selectively approve players who are likely to lose, increasing the organizer's chances of winning the contest.
Collude with specific players, granting them preferential treatment and unfair advantages.
Exclude skilled players or those perceived as a threat, skewing the competition in the organizer's favor.

Unilateral Fee Withdrawal: The withdrawPredictionFees function enables the organizer to withdraw all collected prediction fees without any player consent or oversight. This raises concerns about:

Misappropriation of funds: The organizer could potentially pocket the fees without distributing any rewards to the players.
Lack of transparency: Players have no visibility into the fee withdrawal process, making it difficult to verify if the funds are being used appropriately.
Financial risk: Players are exposed to the risk of losing their prediction fees if the organizer acts dishonestly.

Impact

These vulnerabilities undermine the fairness and integrity of the prediction contest, eroding trust in the platform and potentially causing significant financial harm to players.

Tools Used

Manual code review

Recommendations

To mitigate these vulnerabilities, consider implementing the following changes:

Decentralize Player Approval:
- Introduce a voting mechanism where players or a trusted committee collectively decide on player approvals.
- Implement a transparent and auditable approval process, publicly disclosing the criteria and reasoning behind each decision.
Require Consensus for Fee Withdrawal:
- Implement a multi-signature scheme requiring multiple parties (including player representatives) to authorize fee withdrawals.
- Establish a clear and transparent fee distribution policy, outlining how the fees will be used to fund rewards and cover operational costs.
- Provide regular reports to players detailing the collected fees and their allocation.

Updates

Lead Judging Commences

NightHawK Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Design choice

Rewards breakdown

nSLOC

191

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.