Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Inconsistent Reward Values in openBox Function

solgoodman

Summary

The MysteryBox smart contract initializes rewards with specific values at deployment, but the openBox function uses different values for these rewards. This inconsistency can lead to confusion and unexpected behavior for users.

Vulnerability Details

The issue exists in the openBox function of the MysteryBox contract. The function assigns rewards with values that differ from those initialized at deployment. Specifically, the values for Gold and Silver coins are inconsistent.

Initialization in Constructor:

rewardPool.push(Reward("Gold Coin", 0.5 ether));
rewardPool.push(Reward("Silver Coin", 0.25 ether));
rewardPool.push(Reward("Bronze Coin", 0.1 ether));
rewardPool.push(Reward("Coal", 0 ether));

Values in openBox Function:

if (randomValue < 75) {
rewardsOwned[msg.sender].push(Reward("Coal", 0 ether));
} else if (randomValue < 95) {
rewardsOwned[msg.sender].push(Reward("Bronze Coin", 0.1 ether));
} else if (randomValue < 99) {
rewardsOwned[msg.sender].push(Reward("Silver Coin", 0.5 ether)); // Should be 0.25 ether
} else {
rewardsOwned[msg.sender].push(Reward("Gold Coin", 1 ether)); // Should be 0.5 ether
}

Impact

User Confusion: Users may be confused by the differing values of rewards, leading to a lack of trust in the contract.

Tools Used

  • Manual Review

Recommendations

To resolve this issue, ensure that the reward values in the openBox function match the values initialized at deployment.

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

The rewards in constructor are different from the rewards in openBox

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!