First Flight #20: The Predicter
First Flight #20
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Users Can Make Predictions Without Paying the Entrance Fee

leogold

Summary

A vulnerability was identified that allows any random user to make predictions without registering as a Player. This behavior bypasses the intended access control mechanisms

Vulnerability Details

The makePrediction function in the ThePredicter contract does not verify if the user has registered and paid the entrance fee before allowing them to make a prediction. As a result, users can exploit this vulnerability to participate in the prediction process without contributing to the prize fund, thereby receiving an unfair advantage over honest players who follow the correct registration process.

POC

function test_makePrediction_without_EntranceFee() public {
vm.startPrank(stranger);
vm.warp(1);
vm.deal(stranger, 1 ether);
thePredicter.makePrediction{value: 0.0001 ether}(
0,
ScoreBoard.Result.Draw
);
thePredicter.makePrediction{value: 0.0001 ether}(
1,
ScoreBoard.Result.Draw
);
vm.stopPrank();
assertEq(address(thePredicter).balance,0.0002 ether);
}

Add the code above to predicter.test.sol and run with forge t --mc ThePredicterPOCTest -vvvvv to see the transaction traces.
Impact

Malicious users can repeatedly exploit this vulnerability to make predictions without financial commitment, potentially manipulating the betting outcomes and disrupting the intended operation of the protocol.

Tools Used

Manual Review / Foundry

Recommendations

Implement a check in the makePrediction function to verify if the caller has registered and paid the entrance fee before processing their prediction.

function makePrediction(
uint256 matchNumber,
ScoreBoard.Result prediction
) public payable {
if (msg.value != predictionFee) {
revert ThePredicter__IncorrectPredictionFee();
}
+ if(playersStatus[msg.sender] != Status.Approved){
+ revert ThePredicter__UnauthorizedAccess();
+ }
if (block.timestamp > START_TIME + matchNumber * 68400 - 68400) {
revert ThePredicter__PredictionsAreClosed();
}
scoreBoard.confirmPredictionPayment(msg.sender, matchNumber);
scoreBoard.setPrediction(msg.sender, matchNumber, prediction);
}
Updates

Lead Judging Commences

NightHawK Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

makePrediction lacks access control

makePrediction has no access controls and any unapproved user can make predictions causing an incorrect calculation and distribution of rewards.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.