the function permits users to overwtite their country seclection multiple times, since no restriction prevents repeated joins or reallocations of participant shares.
These flaws allow malicious users to monitor the mempool and switch to the most favorable to the most country at the last moment, manipulating reward distribution.

Description

• When a participant joined an event his/her stakes should be locked and he/she shouldn't be able to join again.

• A participant can repeatedly call joinEvent() to overwrite their selected country since the contract does not restrict multiple joins or validate that a user’s shares have already been allocated.

This allows strategic users to monitor the mempool and front-run other participants to change their country selection at the very last possible moment, potentially manipulating the distribution of winning rewards.

• This also causes repeated entries in usersAddress, totalParticipantShares and userSharesToCountry

Risk

Likelihood:

• Miners or bots can detect pending participation transactions in the mempool during the block that reaches the event start time, allowing them to reorder and front-run.

Participants can repeatedly call joinEvent() before event start to modify their selected country, enabling last-second strategic behavior based on others’ choices.

Impact:

• Attackers can manipulate the distribution of rewards by selecting the country with the highest total shares at the last possible moment.

• Honest participants are disadvantaged because their country choice can be front-run or strategically countered, breaking fairness and predictability of the event.

Proof of Concept

• The test shows that user firstvoted for Mexico

• After he sees that most of the players are voting for Brazil, he switched his vote as well

Recommended Mitigation

• Introduce a mapping hasvoted that maps address to a boolean

• Whenever a person votes check if he has voted or not and in the end turn hasVoted to true for that address