First Flight #20: The Predicter

First Flight #20

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Not-approved users can make predictions without paying entrance fees

EdTim

Summary

The ThePredicter::makePrediction allows player to make predictions. But it also allows strangers to make predictions without paying the entrance fee because the functions is missing a check if the player is approved.

Vulnerability Details

The following test demonstrates that anyone can make predictions without registering first.
The test should revert because the player is not approved but it doesn't.

Add the following test to the ThePredicter.test.sol file:

function testNotRegisteredPlayerCanMakePredictions() public {

address notRegisteredPlayer = makeAddr("notRegisteredPlayer");

hoax(notRegisteredPlayer);

thePredicter.makePrediction{value: 0.0001 ether}(

ScoreBoard.Result.First

);

}

Impact

The prize fund that can be won consists of the collected entrance fees. When not-approved users make predictions they get a chance of winning the price fund without paying the entrance fee. If too many players abuse this vulnerability, the prize fund
will be very small.

Tools Used

Manual review and unit testing.

Recommendations

Before making a prediction add a check whether the player is approved.

+ error ThePredicter__PlayerNotApproved();

function makePrediction(

uint256 matchNumber,

ScoreBoard.Result prediction

) public payable {

if (msg.value != predictionFee) {

revert ThePredicter__IncorrectPredictionFee();

}

+ if (playersStatus[msg.sender] != Status.Approved) {

+ revert ThePredicter__PlayerNotApproved();

+ }

if (block.timestamp > START_TIME + matchNumber * 68400 - 68400) {

revert ThePredicter__PredictionsAreClosed();

}

scoreBoard.confirmPredictionPayment(msg.sender, matchNumber);

scoreBoard.setPrediction(msg.sender, matchNumber, prediction);

}

Updates

Lead Judging Commences

NightHawK Lead Judge 12 months ago

Submission Judgement Published

Validated

Assigned finding tags:

makePrediction lacks access control

makePrediction has no access controls and any unapproved user can make predictions causing an incorrect calculation and distribution of rewards.

Rewards breakdown

nSLOC

191

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.