First Flight #20: The Predicter
First Flight #20
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

The checking `playersStatus[player]` in `makePrediction()` function is missing.

4rtist3

Summary

The makePrediction() function in ThePredicter contract currently lacks a check for player status. As a result, any user can call this function after paying the Prediction Fee, regardless of their status.

Impact

Without checking player status, unauthorized users can participate in the game, make predictions, and potentially withdraw rewards. This could lead to exploitation of the game's reward system and unfair distribution of prizes.

Tools Used

Manual review and testing

Recommendations

Add a check for player status in the makePrediction() function to ensure that only approved players can make predictions. This can be implemented by adding a require statement at the beginning of the function.

function makePrediction(
uint256 matchNumber,
ScoreBoard.Result prediction
) public payable {
+ require(playersStatus[msg.sender] == Status.Approved, 'must be an approved player');
if (msg.value != predictionFee) {
revert ThePredicter__IncorrectPredictionFee();
}
if (block.timestamp > START_TIME + matchNumber * 68400 - 68400) {
revert ThePredicter__PredictionsAreClosed();
}
scoreBoard.confirmPredictionPayment(msg.sender, matchNumber);
scoreBoard.setPrediction(msg.sender, matchNumber, prediction);
}

This modification ensures that only players with an "Approved" status can participate in the prediction process, thereby maintaining the integrity and fairness of the game.

Updates

Lead Judging Commences

NightHawK Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

makePrediction lacks access control

makePrediction has no access controls and any unapproved user can make predictions causing an incorrect calculation and distribution of rewards.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.