Players who have paid exactly one prediction fee will not be able to withdraw their rewards using `ThePredictor::withdraw` function, leading to a potential Denial of Service (DoS) attack.
Description:
As described in the contest documentation: "Players can receive an amount from the prize fund only if their total number of points is a positive number and if they had paid at least one prediction fee". In ScoreBoard.sol contract, the logic for counting the number of times the Player has paid prediction fees is handled by the isEligibleForReward function:
The predictionsCount variable keeps track of the accounting and is incremented only when the Player pays the fee in the ScoreBoard::setPrediction function. However, the isEligibleForReward function will return false if the Player has paid for exactly one prediction and all match results are known. This is due to the condition playersPredictions[player].predictionsCount > 1.
Impact:
Players who have paid for exactly one prediction will not be able to withdraw their rewards via ThePredicter::withdraw, even if their prediction was correct and the tournament has concluded.
Likelihood: High / Impact: High, resulting in an overall risk level of High.
Tools Used:
VSCode, manual review
Recommended Mitigation:
Consider making the following changes to the ScoreBoard::isEligibleForReward function:
Lead Judging Commences
The eligibility criteria is wrong
Players with only one prediction cannot withdraw.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.