First Flight #20: The Predicter
First Flight #20
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Broken access control of `setPrediction()` in `ScoreBoard` contract.

4rtist3

Summary

The setPrediction() function currently lacks any role-based access control. This oversight allows any user to call the function and potentially alter predictions.

Impact

Without proper access control, unauthorized players can modify predictions made by other players. This could enable malicious actors to change predictions to the Pending result, leading to incorrect outcomes and undermining the fairness of the game.

Tools Used

Manual review and testing

Recommendations

Restrict access to the setPrediction() function by applying an onlyThePredicter() modifier. This will ensure that only authorized users can call this function.

function setPrediction(
address player,
uint256 matchNumber,
Result result
) public onlyThePredicter {
if (block.timestamp <= START_TIME + matchNumber * 68400 - 68400)
playersPredictions[player].predictions[matchNumber] = result;
playersPredictions[player].predictionsCount = 0;
for (uint256 i = 0; i < NUM_MATCHES; ++i) {
if (
playersPredictions[player].predictions[i] != Result.Pending &&
playersPredictions[player].isPaid[i]
) ++playersPredictions[player].predictionsCount;
}
}

This modification ensures that only designated roles, likely the contract owner or a trusted entity, can set or modify player predictions. This measure protects the integrity of the game and prevents unauthorized manipulation of predictions.

Updates

Lead Judging Commences

NightHawK Lead Judge 12 months ago
Submission Judgement Published
Validated
Assigned finding tags:

setPrediction lacks access control

setPrediction has no access control and allows manipulation to Players' predictions.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.