First Flight #20: The Predicter

Summary

A bug in time calculation prevents the system to be used beyond the first match.

Vulnerability Details

The code from ThePredicter contract on line 93 adds 18 hours starting from the second match, assuming that matchNumber is between 0 and 8 (0 means the first match and 8 means the last match). The calculation yields the following date and time:

• Match Number 0: Thu Aug 15 2024 20:00:00 GMT+0000

• Match Number 1: Fri Aug 16 2024 15:00:00 GMT+0000

• Match Number 2: Sat Aug 17 2024 10:00:00 GMT+0000

• Match Number 3: Sun Aug 18 2024 05:00:00 GMT+0000

• Match Number 4: Mon Aug 19 2024 00:00:00 GMT+0000

• Match Number 5: Mon Aug 19 2024 19:00:00 GMT+0000

• Match Number 6: Tue Aug 20 2024 14:00:00 GMT+0000

• Match Number 7: Wed Aug 21 2024 09:00:00 GMT+0000

• Match Number 8: Thu Aug 22 2024 04:00:00 GMT+0000

A similar code is also found on ScoreBoard contract on line 66.

Impact

The system deviates from the expected behaviour in terms of limiting the time to make predictions.

Tools Used

Manual review.

Recommendations

Consider replacing the code on line 93 of ThePredicter contract and line 66 of ScoreBoard contract with the following snippet:

After the change, it is expected that we have the following timestamps:

• Match Number 0: Thu Aug 15 2024 19:00:00 GMT+0000

• Match Number 1: Thu Aug 16 2024 19:00:00 GMT+0000

• Match Number 2: Thu Aug 17 2024 19:00:00 GMT+0000

• Match Number 3: Thu Aug 18 2024 19:00:00 GMT+0000

• Match Number 4: Thu Aug 19 2024 19:00:00 GMT+0000

• Match Number 5: Thu Aug 20 2024 19:00:00 GMT+0000

• Match Number 6: Thu Aug 21 2024 19:00:00 GMT+0000

• Match Number 7: Thu Aug 22 2024 19:00:00 GMT+0000

• Match Number 8: Thu Aug 23 2024 19:00:00 GMT+0000