A user can call cancelRegistration() from a contract which will send them ETH. They can then can call the cancelRegistraion() again in loop until the contract is drained.
The below method is prone to reentrancy attack as the status of the player is updated after the ETH is transferred. So the user can call this method in loop and drain the contract.
All the users funds will be lost
Vs Code
Update the player status before refunding the funds.
Reentrancy of ThePredicter::cancelRegistration allows a maliciour user to drain all funds.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.