Mystery Box

Summary

The MysteryBox contract incorrectly deletes elements from the rewardsOwned array using the delete keyword. This practice sets the array element to its default value but does not remove it from the array, leading to "holes" or gaps. These gaps can cause issues when iterating over the array, potentially resulting in incorrect reward calculations, logical errors, and unexpected behavior.

Vulnerability Details

In the transferReward and claimSingleReward functions, the contract uses the delete keyword to remove elements from the rewardsOwned array:

Using delete on an array element in Solidity sets that element to its default value but does not:

• Adjust the array's length.

• Shift subsequent elements to fill the gap.

This behavior results in an array with the same length but containing empty (default) elements at the deleted indices.

Functions Affected:

• transferReward

• claimSingleReward

Impact

• Inaccurate Reward Distribution: Users may receive incorrect reward amounts due to the inclusion of default (empty) rewards in calculations.

• Logical Errors: Functions that rely on the array's integrity may behave unexpectedly, potentially leading to security vulnerabilities or application crashes.

• User Frustration: Users may experience issues when claiming or transferring rewards, leading to a loss of trust in the platform.

• Potential Exploitation: Malicious users could exploit this behavior to manipulate reward calculations.

Tools Used

• Manual Code Review: Examined the contract's code to identify improper array manipulation practices.

Recommendations

To correctly remove an element from an array in Solidity, replace the element to be deleted with the last element of the array and then reduce the array's length using the pop() method. This approach maintains a contiguous array without gaps and ensures the array length accurately reflects the number of elements.

For transferReward:

For claimSingleReward: