`ThePredicter::withdrawPredictionFees` function calculation assumes that the balance consists only of `entrance fees` and the `players.length` which can lead to loss of funds in the protocol's account balance.
Summary
ThePredicter::withdrawPredictionFees function calculates and executes the withdrawal of rewards to players that have positive points. However there is an incorrect calculation because this function assumes that the contract balance, address(this).balance - players.length * entrance fee = player prediction fee to be withdrawn.
Vulnerability Details
uint256 fees = address(this).balance - players.length * entranceFee;
Impact
If the players.length * entrance fee is more than the address(this).balance, this would cause an calculation error. This can drain the procol of funds and also deny some players their due prediction fee. Also if the players.length * entranceFee is more than the contract account balance address(this).balance there would be negative fee to withdraw which is an error in the protocol.
Tools Used
manual review
Recommendations
The correct parameter should be implemented to calculate the prediction fee. The correct parameter of how the protocol's prediction fee calculation should be documented and implemented. Ensure the calculation accurately reflects the intended fee structure based on the documentation. Also add checks to ensure the balance is sufficient before performing the calculation.
Lead Judging Commences
Wrong computation in withdrawPredictionFees
withdrawPredictionFees incorrectly computes the value to be transferred to the organizer, which leads to pending players not being able to cancel their registration, approved players not being able to claim their rewards and other errors.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.