First Flight #20: The Predicter
First Flight #20
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of Priority Approval Mechanism for Ivan and His 15 Friends

leogold

Summary

This audit report identifies a critical issue in the ThePredicter smart contract: there is no mechanism to prioritize the approval of Ivan and his 15 friends as players, as stated in the documentation. This discrepancy between the documentation and the code can lead to potential issues in ensuring that Ivan and his friends are guaranteed participation in the betting system.

Vulnerability Details

Documentation Claim: According to the provided documentation, the protocol should allow the Organizer (Ivan) to prioritize the approval of himself and his 15 friends as players. This is important to ensure that these 16 trusted individuals are always included in the tournament.

Code Review: Upon reviewing the ThePredicter smart contract, it is evident that there is no specific mechanism to give priority approval to Ivan and his 15 friends. The approvePlayer function treats all pending users equally, without any distinction or priority:

Impact

Without a priority approval mechanism, there is no guarantee that Ivan and his 15 friends will be approved as players if there are many registrations. This could lead to situations where these trusted participants are unable to join the tournament, potentially compromising the intended operation and security of the system.

Tools Used

manual review

Recommendations

To align the code with the documentation and ensure the intended priority approval mechanism, we recommend implementing a method to guarantee that Ivan and his 15 friends are always approved as players. Here are the proposed changes:

  1. Add a List of Trusted Addresses: Define a list of trusted addresses (Ivan and his 15 friends) in the contract.

  2. Modify the approvePlayer Function: Implement a mechanism to check if the address belongs to the list of trusted addresses and prioritize their approval.

address[16] private trustedAddresses = [
0xAddress1, 0xAddress2, ..., 0xAddress16 // Ivan and his 15 friends' addresses
];
function isTrustedAddress(address player) internal view returns (bool) {
for (uint256 i = 0; i < trustedAddresses.length; i++) {
if (trustedAddresses[i] == player) {
return true;
}
}
return false;
}
function approvePlayer(address player) public {
if (msg.sender != organizer) {
revert ThePredicter__UnauthorizedAccess();
}
if (players.length >= 30) {
revert ThePredicter__AllPlacesAreTaken();
}
if (playersStatus[player] == Status.Pending) {
// Check if the player is a trusted address
if (isTrustedAddress(player) || (players.length < 16)) {
playersStatus[player] = Status.Approved;
players.push(player);
} else {
// Handle non-trusted addresses approval
if (players.length >= 16) {
revert ThePredicter__AllPlacesAreTaken();
}
playersStatus[player] = Status.Approved;
players.push(player);
}
}
}

Implementing a priority approval mechanism for Ivan and his 15 friends will ensure the integrity and intended operation of the ThePredicter contract. This enhancement will align the code with the documentation, guaranteeing that these trusted participants are always included in the tournament, thus maintaining the security and reliability of the protocol.

Updates

Lead Judging Commences

NightHawK Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Design choice

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.