Unrestricted Access to scoreBoard::setPrediction Function Due to Public Visibility make it accesible to call from anyone
Summary
The setPrediction function is declared as public, allowing any external actor to call it. However, the function should only be callable by the specific player it's intended for, indicating that it should have more restrictive visibility.
Vulnerability Details
The function signature is as follows:
The public visibility allows any external account or contract to call this function, potentially setting predictions for any player. This is a serious access control issue, as it allows unauthorized manipulation of predictions.
Impact
anyone can call this function directly whitout benn approved or pay the fees
Unauthorized Predictions: Any user can set predictions for any other user, completely bypassing any intended access controls.
Tools Used
Manual Code Review
Recommendations
Change the function visibility to internal:
This ensures that only the contract itself or derived contracts can call this function.
Lead Judging Commences
setPrediction lacks access control
setPrediction has no access control and allows manipulation to Players' predictions.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.