First Flight #20: The Predicter
First Flight #20
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

[H-2] Unapproved players can make predictions in `ThePredicter::makePrediction` function, which violates the intended game mechanics

guirewire

[H-2] Unapproved players can make predictions in ThePredicter::makePrediction function, which violates the intended game mechanics

Summary:

The makePrediction function in ThePredicter.sol allows unapproved players to make predictions, violating the intended game mechanics and potentially compromising the integrity of the prediction system.

Vulnerability Details:

The makePrediction function lacks a check to ensure that only approved players can make predictions. This allows any registered player, regardless of their approval status, to participate in the prediction game.

Proof of Concept:

Here is a test proving how a registered user who is not an approvedPlayer can make a prediction. Add this test to ThePredicter.test.sol and run forge test --mt testUnapprovedPlayerCanMakePrediction -vvvv in terminal.

function testUnapprovedPlayerCanMakePrediction() public {
address unapprovedPlayer = makeAddr("unapprovedPlayer");
vm.deal(unapprovedPlayer, 1 ether);
// Register the player, but don't approve them
vm.prank(unapprovedPlayer);
thePredicter.register{value: ENTRANCE_FEE}();
uint256 initialBalance = address(thePredicter).balance;
// Try to make a prediction with an unapproved player
vm.prank(unapprovedPlayer);
thePredicter.makePrediction{value: PREDICTION_FEE}(0, ScoreBoard.Result.First);
// Check if the prediction fee was transferred
assertEq(address(thePredicter).balance, initialBalance + PREDICTION_FEE, "Prediction fee should be transferred to the contract");
console.log("Unapproved player successfully made a prediction");
}

Test output:

[PASS] testUnapprovedPlayerCanMakePrediction() (gas: 137928)
Logs: Unapproved player successfully made a prediction

Impact:

This vulnerability allows unauthorized participants in the prediction game, which could lead to:

  • Violation of game rules and mechanics.

  • Potential financial losses if unapproved players can claim rewards.

  • Undermining of the system's integrity and fairness.

  • Possible exploitation through creation of multiple unapproved accounts.

Tools Used:

Forge testing framework, Manual review, AI for troubleshooting

Recommended Mitigation:

Add a check in the makePrediction function to ensure only approved players can make predictions:

function makePrediction(uint256 _matchNumber, ScoreBoard.Result _result) public payable {
+ require(playersStatus[msg.sender] == Status.Approved, "ThePredicter: Player not approved");
if (_matchNumber >= 9) {
revert ThePredicter__InvalidMatchNumber();
}
if (block.timestamp > scoreBoard.getMatchDate(_matchNumber) - 68400) {
revert ThePredicter__PredictionsAreClosed();
}
scoreBoard.confirmPredictionPayment(msg.sender, _matchNumber);
// ... rest of the function
}
Updates

Lead Judging Commences

NightHawK Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

makePrediction lacks access control

makePrediction has no access controls and any unapproved user can make predictions causing an incorrect calculation and distribution of rewards.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.