Mystery Box

Summary

A centralized risk has been identified in the system's rewards distribution mechanism, where the owner can call the withdrawFunds function before users claim their rewards. This vulnerability could prevent users from claiming their entitled rewards if the owner withdraws the funds, which affect one of the main protocol functionality

Vulnerability Details

The core issue lies in the design of the withdrawFunds function, which allows the contract owner to withdraw the contract's balance, including funds intended for user rewards, at any time. If users have pending claims and the owner calls the withdrawFunds function, the reward pool may be drained, leaving insufficient funds for users to claim their rewards.

• PoC

  function testOwnerCanPreventUserFromClaimingRewards() public {

  vm.deal(user1, 1 ether);

  vm.startPrank(user1);

  mysteryBox.buyBox{value: 0.1 ether}();

  assertEq(mysteryBox.boxesOwned(user1), 1);

  mysteryBox.openBox();

  assertEq(mysteryBox.boxesOwned(user1), 0);

  assertEq(mysteryBox.getRewards().length, 1);

  vm.stopPrank();

  vm.prank(owner);

  mysteryBox.withdrawFunds();

  vm.expectRevert();

  vm.prank(user1);

  mysteryBox.claimAllRewards();

  }

Impact

• users can't claim their rewards

Tools Used

Manual review

Recommendations

• Some Ideas to mitigate the issue

1. Check that there is no pending rewards before withdrawing

2. Design a cut for the owner

3. Subtract pending rewards for the contract balance and withdraw the remaining