Unregistered Players Can Call `makePrediction()`
Summary
Function ThePredicter::makePrediction() does not prevent non-registered and non-approved players from calling it.
Vulnerability Details
Function makePrediction() does not check if the caller is a registered and approved player. This means that anyone can participate in the competition that was supposed to be available for 30 players only.
This issue can be weaponised to DOS the system by calling makePrediction() from as many addresses as possible such that function ThePredicter::withdraw() becomes too expensive to call or even cannot be completed due to out of gas.
Additionally, the non-registered and non-approved players will be eligible for shares of entrance fee they did not pay. If entrance fee is substantially higher than prediction fee, then there is a potential profit if they are able to get positive scores.
Impact
Denial of service on function ThePredicter::withdraw()
Tools Used
Testing, manual review
Recommendations
Add checks on function ThePredicter::makePrediction() such that it is callable only by registered and approved players.
Proof of Concept
The issue can be demonstrated using the following test:
Lead Judging Commences
makePrediction lacks access control
makePrediction has no access controls and any unapproved user can make predictions causing an incorrect calculation and distribution of rewards.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.