Mystery Box

Summary

The low findings include:

1. Floating pragma version

2. Wrong comparison operator in the require statement of the claimSingleReward function

Vulnerability Details

1. The contract implements a floating pragma version ^0.8.0which means the contract can be compiled with any version that is greater than or equal to 0.8.0, but less than the next major version 0.9.0.

2. The require statement in the claimSingleReward function is:

   require(_index <= rewardsOwned[msg.sender].length, "Invalid index");

The comparison operator is <=which means the _indexparameter can be equal to the length of the user's rewards.

Impact

1. Floating pragma version may cause issues with newer compiler versions.

2. The wrong comparison operator can cause the function to revert with the error array out-of-bounds accessinstead of the custom Invalid indexerror when the _index parameter of the function is equal to the number of the user's rewards.

Tools Used

Manual inspection.

Recommendations

1. Change the floating pragma version to a fixed one:

   pragma solidity 0.8.0;

2. Change the comparison operator from <=to <:

   require(_index < rewardsOwned[msg.sender].length, "Invalid index");