Players with exactly one correct prediction are deemed ineligible for rewards
Relevant GitHub Links
Summary
The entrance fees collected at the beginning of the tournament are intended to form a prize fund, which is to be distributed among players who paid at least one prediction fee, based on their accumulated points. However, there is a discrepancy in the reward distribution logic that affects players who should be eligible for rewards.
Vulnerability Details
The function ScoreBoard::isEligibleForReward contains a conditional check that incorrectly determines player eligibility for rewards. The current condition checks if the number of predictions made is greater than 1 (playersPredictions[player].predictionsCount > 1). According to the protocol’s documentation, the condition should be checking if the player has made at least one correct prediction to be eligible for rewards.
The current implementation means that players with exactly one correct prediction are deemed ineligible, contradicting the intended reward criteria.
Impact
Functionality:
The vulnerability affects the reward distribution logic of the contract. Players who correctly predicted matches but are incorrectly deemed ineligible for rewards will not receive their due share. This can undermine user trust and satisfaction, as individuals who performed correctly but did not meet the conditional threshold of having more than one correct prediction will not receive their due rewards.
Indirect Impact:
While the issue does not directly affect the contract’s funds or security, it impacts the core functionality of the reward distribution mechanism. This is crucial for the intended user experience and fairness of the protocol. It disrupts the correct functioning of reward distribution, which could affect multiple users.
Proof of Concept
To illustrate the issue:
• A player with exactly one correct prediction will be incorrectly flagged as ineligible for rewards.
• This is due to the incorrect condition in isEligibleForReward function, which should be >= 1 rather than > 1.
Tools Used
Manual review
Recommendations
Update the conditional check in the isEligibleForReward function to ensure that players with at least one correct prediction are deemed eligible for rewards. The condition should be updated to:
playersPredictions[player].predictionsCount >= 1;
Alternatively, checking if predictionsCount > 0 would also be appropriate.
Lead Judging Commences
The eligibility criteria is wrong
Players with only one prediction cannot withdraw.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.