First Flight #20: The Predicter
First Flight #20
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

User Must Predict At Least Two Games To Be Eligible For Reward

evmninja

Summary

A user must submit at least two predictions to be eligible for reward.

Vulnerability Details

Function ScoreBoard::isEligibleForReward() checks for two conditions:

  • The last match's result is set and should not be in its default value.

  • The player's predictionsCount is more than one.

The second condition may not be favorable to the user if the user only predicts one match and collects positive score, because they will not be able to withdraw their reward share. This condition is irreversible and their reward gets stuck in the ThePredicter contract.

Impact

The user with one prediction and positive score cannot withdraw reward.

Tools Used

Testing, manual review

Recommendations

Consider replacing the code in line 97 with the following snippet:

playersPredictions[player].predictionsCount >= 1;

Proof of Concept

The following test demonstrates that one prediction is not eligible for reward.

function test_evmn_makePrediction_POC_isEligibleForReward() public {
// Try to make prediction without registration
address user = users[0];
deal(user, thePredicter.predictionFee() * 8);
vm.startPrank(user);
thePredicter.makePrediction{value: thePredicter.predictionFee()}(7, ScoreBoard.Result.First);
vm.stopPrank();
// Set Result
vm.startPrank(organizer);
scoreBoard.setResult(8, ScoreBoard.Result.First);
vm.stopPrank();
assertFalse(scoreBoard.isEligibleForReward(user));
}
Updates

Lead Judging Commences

NightHawK Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

The eligibility criteria is wrong

Players with only one prediction cannot withdraw.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.