No check on the Players Status can lead to pending player making prediction with no entrance fee
Summary
The makePrediction() function allows players to place bets on a specific game, requiring them to pay a prediction fee beforehand. However, the current implementation lacks a check to verify the player's status before they can place a bet. As a result, a player could register and place a bet without being properly approved, which undermines the integrity of the betting process.
Vulnerability Details
The makePrediction() function has a serious vulnerability: a player can register without approval, place a prediction, and then withdraw their entrance fee without contributing any significant amount. This flaw undermines the integrity of the prediction system and allows players to exploit the protocol without properly participating.
POC
Impact
Malicious players can exploit this vulnerability to drain the protocol by placing predictions without paying the entrance fee. They can register with a pending status, make a prediction, and then use the cancelRegistration() function to withdraw their entrance fee, effectively contributing nothing while still taking advantage of the system.
Tools Used
Manual
Recommendations
Add a require check on makePrediction().
require(playersStatus[msg.sender] == Status.Approved,"Not Allowed")
Lead Judging Commences
makePrediction lacks access control
makePrediction has no access controls and any unapproved user can make predictions causing an incorrect calculation and distribution of rewards.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.