First Flight #20: The Predicter

Relevant GitHub Links

https://github.com/Cyfrin/2024-07-the-predicter/blob/839bfa56fe0066e7f5610197a6b670c26a4c0879/src/ThePredicter.sol#L85

Summary

The protocol promises that a player should only pay the prediction fee once when making a prediction and should not have to pay again if they want to change their prediction. However, the current implementation of the makePrediction function requires the full prediction fee to be paid every time a prediction is made, even if it is just a change to an existing prediction.

Vulnerability Details

The makePrediction function in the ThePredicter contract includes the following condition:

This check ensures that a player must send exactly the predictionFee amount when making a prediction. However, the protocol’s requirement is that a player should be able to change an existing prediction without paying an additional fee. The current implementation does not accommodate this requirement because it treats every call to makePrediction as a new prediction that requires the full fee to be paid.

Impact

Direct Impact on Functionality
• Functionality Impact: The issue directly affects the core functionality of the prediction system. The protocol’s promise is that predictions can be updated without an additional fee, but the current implementation enforces a fee every time.

Harm Potential
• Significant Harm: While the issue does not compromise the financial security of the protocol or lead to direct theft of funds, it significantly impacts the user experience. Users may become frustrated if they are forced to pay multiple times to update their predictions, leading to potential dissatisfaction and loss of trust.

Proof of Concept

Tools Used

Manual review

Recommendations

Update the makePrediction function to check if the player is changing an existing prediction and allow such changes without requiring an additional fee. Implementing another changePrediction() function could also be a good solution.