First Flight #20: The Predicter
First Flight #20
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: high
Valid

Lack of access control for `ScoreBoard::setPrediction`.

enchev

Summary

Lack of access control for ScoreBoard::setPrediction.

Vulnerability Details

The function ScoreBoard::setPrediction is used by players to place or update predictions. However, due to no access control of the function anyone can update someone's placed bet.

Impact

Anyone can change players prediction

Tools Used

Manual Review

Proof Of Code

  1. Add the following test case to ThePredicter.test.sol

function test_anyoneCanModifySomeonesBet() public {
address stranger2 = makeAddr("stranger2");
vm.startPrank(stranger);
vm.deal(stranger, 1 ether);
thePredicter.register{value: 0.04 ether}();
thePredicter.makePrediction{value: 0.0001 ether}(
0,
ScoreBoard.Result.First
);
vm.stopPrank();
vm.startPrank(stranger2);
scoreBoard.setPrediction(stranger, 0, ScoreBoard.Result.Second);
}

  1. Run the following command forge test --mt test_anyoneCanModifySomeonesBet

  2. Observe that no revert occured.

Recommendations

Follow the following steps:

  1. Make the function ScoreBoard::setPrediction accessible only by the ThePredicter contract

function setPrediction(
address player,
uint256 matchNumber,
Result result
- ) public {
+ ) public onlyThePredicter {

  1. Create a function that allows prediction updating and make sure that msg.sender can update only his/her predictions. This function needs to be in the ThePredicter contract and should call the ScoreBoard::setPrediction function.

Updates

Lead Judging Commences

NightHawK Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

setPrediction lacks access control

setPrediction has no access control and allows manipulation to Players' predictions.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.