Test Scenario: Cheat Bet in the [Live Betting Test]: 1st Half - Winner Market on bookmaker.xyz
Description:
This test scenario was aimed at to evaluating the loopholes of the 1st Half - Winner market within the live betting feature on bookmaker.xyz. The specific focus was on identifying potential vulnerabilities that allow users to place bets on market outcomes after they are officially confirmed, exploiting a delay in data relay from the market provider.
Test Steps:
1. Access the live betting section of bookmaker.xyz.
2. Navigate to the 1st Half - Winner market within the live betting options. (Match Example: Marseille - Montpellier 25th Feb. 2024)
3. Monitor the real-time data updates provided by the market provider for this specific market. (Using FlashScore(dot)mobi)
Flashscore provides fast updates to the market outcomes. See the screenshot below.
Note: It's already Half-Time.
**4. Attempt to place a bet on the outcome of the 1st Half - Winner market during a period where bookmaker(dot)xyz believes the outcome has not yet occurred due to delayed data relay. See the screenshot below.
Note: Bookmaker hasn't closed the market yet.**
**5. Verify whether the system allows the bet to be placed despite the ongoing event and after the official outcome confirmation.
Verified- See the screenshot below.**
6. Monitor the behavior of the website and the user interface upon placing the bet to determine if any warnings or notifications are provided regarding the potential discrepancy in real-time data.
The market website remains open despite the official outcome of the data provider. This allows me to place multiple bets at a time profiting massively. I managed to place a total of 17 bets.
### 7. Observe how the system handles the bet placement in terms of acceptance, processing, and updating of the bet slip.
The bets are accepted without any errors and it only takes a few seconds for confirmation on the blockchain.
### 8. Document any discrepancies, errors, or irregularities encountered during the test process.
By the time the market data is relayed to bookmaker, a punter has already placed multiple bets and gained an unfair advantage through the cheat bet. Errors occurred after data relay thus closing the market. See the screenshots below.
END.
Observed Behavior
**The observed behavior revealed significant vulnerabilities in the 1st Half - Winner market on bookmaker(dot)xyz, highlighting the potential for exploitation through cheat bets.
Since I managed to place a total of 17 bets I was able to go from 3000 AZUSD free mint to more than 35,000 AZUSD.
Here is the screenshot.**
Expected Behavior
The expected behavior for the 1st Half - Winner market should be as follows:
Real-time Updates: The market should reflect accurate and timely updates based on the progress of the match esp. events affecting the outcome of the 1st half.
Market Closure: The market should be closed once the specified period has concluded. Once closed, no further bets should be accepted for that specific market.
Bet Placement Validation: Bets should only be accepted within the timeframe of the 1st half of the match. Once the 1st half is completed, no additional bets should be permitted for this market.
Reproducibility of the Issue
To reproduce the issue follow the steps below:
Visit Bookmaker(dot)xyz and make sure the live betting tab is active.
Visit Flashscore(dot)mobi and look for games with 45+ as indicated time (crucial)
Once you identify one cross-check if it is offered by bookmaker. If yes then proceed to step if not then keep looking.
Now comes the difficult part. The waiting at times you will find the 1st Half Match Winner market closed.
So you can either refresh bookmaker or look for a different game with the market still open. (Remember time is of the essence)
Once you have found a game that meets all the above and with an open 1st Half Match Winner market. Confirm the outcome is accurate with Flashscore then place your bet.
You can always use the Max bet option as it returns the highest payout depending on the odds.
Note: At times the max options fails even after placing your bet. It will return an error Oops..There were some problems while trying to place a bet. If you encounter this error then only bet $100 Max
Place as many bets as you can during the time-frame but whatever you do, do not refresh the page as it will update and relay the current match outcome.
If you encounter the error: Outcome removed or suspended then the data has been relayed. Ignore as you can no longer place any bets. Look for another game with the same parameters above and repeat the steps.
NOTE: I found this worked smoothly in MetaMask (built-in browser) and on Mobile. Desktop takes too long to perform these actions.
Additional Information
Check the transaction history on mumbai polygonscan. My wallet address is input above.
I recommend you get a faster API Data provider.
Also consider locking the 1st Half Match Winner market by say the 44 min mark.
This will prevent any huge odd spikes that come up when a goal is scored and the data provider hasn't relayed the outcome quickly.
Besides that the live betting works fine and I hope you found this helpful.
Contact Details
drampkitum@gmail.com
Your Wallet Address
0x5FCa5C88c7803B51d2e1eB5af9E263B4dBDe6209
Testing Scenario Conducted
Cheat Bet
Test Description
Test Description:
Test Scenario: Cheat Bet in the [Live Betting Test]: 1st Half - Winner Market on bookmaker.xyz
Description:
This test scenario was aimed at to evaluating the loopholes of the 1st Half - Winner market within the live betting feature on bookmaker.xyz. The specific focus was on identifying potential vulnerabilities that allow users to place bets on market outcomes after they are officially confirmed, exploiting a delay in data relay from the market provider.
Test Steps:
1. Access the live betting section of bookmaker.xyz.
2. Navigate to the 1st Half - Winner market within the live betting options. (Match Example: Marseille - Montpellier 25th Feb. 2024)
3. Monitor the real-time data updates provided by the market provider for this specific market. (Using FlashScore(dot)mobi)
Flashscore provides fast updates to the market outcomes. See the screenshot below.
Note: It's already Half-Time.
**4. Attempt to place a bet on the outcome of the 1st Half - Winner market during a period where bookmaker(dot)xyz believes the outcome has not yet occurred due to delayed data relay. See the screenshot below.
Note: Bookmaker hasn't closed the market yet.**
**5. Verify whether the system allows the bet to be placed despite the ongoing event and after the official outcome confirmation.
Verified- See the screenshot below.**
6. Monitor the behavior of the website and the user interface upon placing the bet to determine if any warnings or notifications are provided regarding the potential discrepancy in real-time data.
The market website remains open despite the official outcome of the data provider. This allows me to place multiple bets at a time profiting massively. I managed to place a total of 17 bets.
### 7. Observe how the system handles the bet placement in terms of acceptance, processing, and updating of the bet slip.
The bets are accepted without any errors and it only takes a few seconds for confirmation on the blockchain.
### 8. Document any discrepancies, errors, or irregularities encountered during the test process.
By the time the market data is relayed to bookmaker, a punter has already placed multiple bets and gained an unfair advantage through the cheat bet. Errors occurred after data relay thus closing the market. See the screenshots below.
END.
Observed Behavior
**The observed behavior revealed significant vulnerabilities in the 1st Half - Winner market on bookmaker(dot)xyz, highlighting the potential for exploitation through cheat bets.
Since I managed to place a total of 17 bets I was able to go from 3000 AZUSD free mint to more than 35,000 AZUSD.
Here is the screenshot.**
Expected Behavior
The expected behavior for the 1st Half - Winner market should be as follows:
Reproducibility of the Issue
To reproduce the issue follow the steps below:
Visit Bookmaker(dot)xyz and make sure the live betting tab is active.
Visit Flashscore(dot)mobi and look for games with 45+ as indicated time (crucial)
Once you identify one cross-check if it is offered by bookmaker. If yes then proceed to step if not then keep looking.
Now comes the difficult part. The waiting at times you will find the 1st Half Match Winner market closed.
So you can either refresh bookmaker or look for a different game with the market still open. (Remember time is of the essence)
Once you have found a game that meets all the above and with an open 1st Half Match Winner market. Confirm the outcome is accurate with Flashscore then place your bet.
You can always use the Max bet option as it returns the highest payout depending on the odds.
Note: At times the max options fails even after placing your bet. It will return an error Oops..There were some problems while trying to place a bet. If you encounter this error then only bet $100 Max
Place as many bets as you can during the time-frame but whatever you do, do not refresh the page as it will update and relay the current match outcome.
If you encounter the error: Outcome removed or suspended then the data has been relayed. Ignore as you can no longer place any bets. Look for another game with the same parameters above and repeat the steps.
NOTE: I found this worked smoothly in MetaMask (built-in browser) and on Mobile. Desktop takes too long to perform these actions.
Additional Information
Check the transaction history on mumbai polygonscan. My wallet address is input above.
I recommend you get a faster API Data provider. Also consider locking the 1st Half Match Winner market by say the 44 min mark. This will prevent any huge odd spikes that come up when a goal is scored and the data provider hasn't relayed the outcome quickly.
Besides that the live betting works fine and I hope you found this helpful.