First Flight #20: The Predicter

First Flight #20

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

[H-2] Deadline Miscalculation in ThePredicter::makePrediction()

ivanonchain

Relevant GitHub Links

https://github.com/Cyfrin/2024-07-the-predicter/blob/839bfa56fe0066e7f5610197a6b670c26a4c0879/src/ThePredicter.sol#L93

Summary

The ThePredicter::makePrediction() function should ensure that players can only set predictions until 19:00:00 UTC on the day of the match, one hour before the match starts, as stated in the documentation. However, there is an error in the conditional logic, causing the time to shift back by 5 hours each day. Consequently, by the last match, players will only be able to set predictions almost 40 hours in advance.

Vulnerability Details

Here some maths that proof the vulnerability

START_TIME = 1723752000 --> Thu Aug 15 2024 20:00:00 GMT+0000.

First match:
START_TIME + matchNumber * 68400 - 68400
1723752000 + 1 * 68400 - 68400 = 1723752000
1723752000 --> Thu Aug 15 2024 20:00:00 GMT+0000. This is the time when the first match starts

Second match:
START_TIME + matchNumber * 68400 - 68400
1723752000 + 2 * 68400 - 68400 = 1723820400
1723820400 --> Friday, August 16, 2024 15:00:00 GMT+0000. Five hours before the match beginning

Third match:
START_TIME + matchNumber * 68400 - 68400
1723752000 + 3 * 68400 - 68400 = 1723888800
1723888800 --> Saturday, August 17, 2024 10:00:00 GMT+0000. Ten hours before the match beginning

Ninth match:
START_TIME + matchNumber * 68400 - 68400
1723752000 + 9 * 68400 - 68400 = 1723888800
1723888800 --> Thursday, August 22, 2024 4:00:00 GMT+0000. More than one day before the match begin

Recommendations

Use one day in seconds to advance each day and 23 hour in seconds to limit to one hour before of the match. Also is recomended use constants to improve the reability of the code.

+uint256 private constant ONE_DAY = 86400

+uint256 private constant TWENTY_THREE_HOURS = 82800

-if (block.timestamp <= START_TIME + matchNumber * 68400 - 68400)

+if (block.timestamp <= START_TIME + matchNumber * ONE_DAY - TWENTY_THREE_HOURS)

playersPredictions[player].predictions[matchNumber] = result;

Impact

The basic functionality is broken because some players will wait until 19:00:00 to set their predictions, and they won't be able to do so, resulting in a high impact. This issue is expected to occur from the second match onwards, making the likelihood of it happening high.

Tools Used

Manual review

Updates

Lead Judging Commences

NightHawK Lead Judge 11 months ago

Submission Judgement Published

Validated

Assigned finding tags:

Match timestamps are incorrect

In both contracts there is a similar error in the computation of the timestamps of the matches.

Rewards breakdown

nSLOC

191

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.