BriVault
First Flight #52
Beginner FriendlySolidity
100 EXP
View results
Previous Next
Submission Details
Impact: high
Likelihood: high
Invalid

Owner Can Frontrun Winner Selection and Gain Unfair Advantage

bigchapo21

Root + Impact

Description

  • Users deposit funds, pick a country and if the country the picked is the winner set by the owner, they win a share of the prize pool

  • The issue here is that there's no restriction on the owner to not participate in the event, and given that the winner selection isnt random but handpicked by the owner, owner could join and event, pick a country of his choice and make it the winner and win shares

// Root cause in the codebase with @> marks to highlight the relevant section

Risk

Likelihood:

  • When owner joins the event and sets the country of their picking as the winner


Impact:

  • Owner gets an unfair advantage, since a win is always guaranteed for them

Proof of Concept

Recommended Mitigation

- remove this code
+ require(msg.sender != owner(), "Owner cannot participate in the event.");
Or winner selection is generated randomly, that way owner can still participate, but wont have the unfair advantage of choosing their selected country as the winner
Updates

Appeal created

bube Lead Judge 21 days ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity
Assigned finding tags:

The owner can be participant

The owner is trusted.

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!