First Flight #20: The Predicter
First Flight #20
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

Incorrect timestamp validation logic in `ThePredicter::makePrediction` and `ScoreBoard::setPrediction`, leading to a potential Denial of Service (DoS) attack.

v1vah0us3

[H-1] Incorrect timestamp validation logic in ThePredicter::makePrediction and ScoreBoard::setPrediction, leading to a potential Denial of Service (DoS) attack.

Description:

The ThePredicter::makePrediction and ScoreBoard::setPrediction functions are designed to be executed within a specific time frame: until 19:00:00 UTC on the day of the match. However, the current implementation uses incorrect timestamp validation logic. The affected implementations are shown below:

>> if (block.timestamp > START_TIME + matchNumber * 68400 - 68400) {
revert ThePredicter__PredictionsAreClosed();
}
.....
>> if (block.timestamp <= START_TIME + matchNumber * 68400 - 68400)
playersPredictions[player].predictions[matchNumber] = result;
.....

Proof of Concept:

As described in the contest documentation, there are a total of 9 matches to be played, starting on Thu Aug 15 2024 20:00:00 UTC. Every day from 20:00:00 UTC one match is played. Until 19:00:00 UTC on the day of the match, predictions can be made. This data can be used to check the logic of the if statement in ThePredicter::makePrediction:

>> if (block.timestamp > START_TIME + matchNumber * 68400 - 68400) {
revert ThePredicter__PredictionsAreClosed();
}
.....

Below is a verification of the logic with actual values:

block.timestamp > 1723752000 + 1 * 68400 - 68400 == block.timestamp > 1723752000 (Thu Aug 15 2024 20:00:00)
block.timestamp > 1723752000 + 2 * 68400 - 68400 == block.timestamp > 1723820400 (Fri Aug 16 2024 15:00:00)
block.timestamp > 1723752000 + 3 * 68400 - 68400 == block.timestamp > 1723888800 (Sat Aug 17 2024 10:00:00)
block.timestamp > 1723752000 + 4 * 68400 - 68400 == block.timestamp > 1723957200 (Sun Aug 18 2024 05:00:00)
block.timestamp > 1723752000 + 5 * 68400 - 68400 == block.timestamp > 1724025600 (Mon Aug 19 2024 00:00:00)
block.timestamp > 1723752000 + 6 * 68400 - 68400 == block.timestamp > 1724094000 (Mon Aug 19 2024 19:00:00)
block.timestamp > 1723752000 + 7 * 68400 - 68400 == block.timestamp > 1724162400 (Tue Aug 20 2024 14:00:00)
block.timestamp > 1723752000 + 8 * 68400 - 68400 == block.timestamp > 1724230800 (Wed Aug 21 2024 09:00:00)
block.timestamp > 1723752000 + 9 * 68400 - 68400 == block.timestamp > 1724299200 (Thu Aug 22 2024 04:00:00)

The result of this test shows that the logic behind the calculation of the correct time for the predictions to be made is faulty. In fact, it goes so far that for the last game the prediction threshold is Thu Aug 22 2024 04:00:00and not Fri Aug 23 2024 19:00:00.

Impact:

Players will no longer be able to make their predictions by 19:00 on a daily basis and will not be able to pay the prediction fees. As a result, the protocol will lose a significant amount of prediction fees.
Likelihood: High / Impact: High, resulting in an overall risk level of High.

Tools Used:

VSCode, manual review

Recommended Mitigation:

Consider using this improved logic for the if statement in ThePredicter::makePrediction:

- if (block.timestamp > START_TIME + matchNumber * 68400 - 68400) {
+ if (block.timestamp > START_TIME + matchNumber * 86400 - 3600) {
revert ThePredicter__PredictionsAreClosed();
}

The improved logic for the if statement in ScoreBoard::setPrediction would be as follows:

- if (block.timestamp <= START_TIME + matchNumber * 68400 - 68400)
+ if (block.timestamp <= START_TIME + matchNumber * 86400 - 3600)
playersPredictions[player].predictions[matchNumber] = result;
Updates

Lead Judging Commences

NightHawK Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Match timestamps are incorrect

In both contracts there is a similar error in the computation of the timestamps of the matches.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.