Submission Details
Severity:
ThePredicter::register is missing a status check : an approved player can register
Relevant GitHub Links
https://github.com/Cyfrin/2024-07-the-predicter/blob/main/src/ThePredicter.sol#L72
Summary
The register function does not check whether the player already has status.approved. The player therefore loses his approved status and pays the entry fee again.
Impact
The player loses his approved status and pays the entry fee again.
Can create duplicates in the player list.
Proof of Concept
Include this test in ThePredicterTest.sol
function test_PlayerAlreadyApprovedRegister() public {
//The player registers
vm.startPrank(stranger);
vm.deal(stranger, 1 ether);
thePredicter.register{value: 0.04 ether}();
vm.stopPrank();
//The organizer approves the player
vm.startPrank(organizer);
thePredicter.approvePlayer(stranger);
assertEq(
uint(thePredicter.playersStatus(stranger)),
uint(ThePredicter.Status.Approved)
);
vm.stopPrank();
//The player registers once again and loose his approved status
vm.startPrank(stranger);
thePredicter.register{value: 0.04 ether}();
vm.stopPrank();
assertEq(
uint(thePredicter.playersStatus(stranger)),
uint(ThePredicter.Status.Pending)
);
}
Tools Used
Foundry and manual review
Recommendations
Implement a check in the register function to ensure that a player with approved status cannot re-register.
Rewards breakdown
nSLOC
191This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.