Submission Details
Severity:
Lack of Access Control in the `ThePredicter::makePrediction` function allows any user to participate and make a prediction.
**Description** The `makePrediction` has no restriction or access control. Any `USER` who is not approved as a `PLAYER` can call and participate in the betting tournament. He just has to pay the `predictionFee` in order to make a prediction.
**Impact** Anyone who has not been approved by the organizer can still particpate in the betting tournament without paying any charge as entranceFee.
**Proof of Concept**
1. Make a random user call the `ThePredictor::makePrediction` function and send prediction fee.
2. The call passes and it does not revert
<details><summary>POC</summary>
Place the following code in `ThePredicter.test.sol` :
```javascript
function test_AccessControlIssueinmakePrediction()public {
address user = makeAddr("user");
vm.deal(user,0.0001 ether);
vm.expectRevert();
thePredicter.makePrediction{value:0.0001 ether}(0, ScoreBoard.Result.Draw);
}
```
<details>
**RecommendedMitigation** The add a modifier which permits only a `PLAYER` to participate in the betting.
```diff
+ modifier onlyPlayers(address player){
+ if(playersStatus[player] != Status.Approved){
+ revert();
+ }
+ _;
+ }
function makePrediction(
uint256 matchNumber,
ScoreBoard.Result prediction
+ ) public payable onlyPlayers(msg.sender){
```
Updates
Lead Judging Commences
NightHawK 12 months ago
Submission Judgement Published Assigned finding tags:
makePrediction lacks access control
makePrediction has no access controls and any unapproved user can make predictions causing an incorrect calculation and distribution of rewards.
Rewards breakdown
nSLOC
191This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.