Mystery Box

First Flight #25

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: medium

Valid

Ineffective Reward Addition in MysteryBox::addReward Due to Unused rewardPool Variable

fels21

Summary

The addReward function allows the owner to add rewards to the rewardPool. However, the rewardPool variable is not used anywhere in the contract, including in the critical openBox function where rewards are distributed. This makes the addition of rewards via addReward ineffective and the rewardPool itself a redundant variable.

Vulnerability Details

The rewardPool is populated with rewards through the addReward function, but it is not referenced when rewards are distributed during the openBox process. Instead of using rewardPool, the openBox function hardcodes the reward probabilities and their values, making any rewards added via addReward irrelevant.

function addReward(string memory _name, uint256 _value) public {

require(msg.sender == owner, "Only owner can add rewards");

rewardPool.push(Reward(_name, _value));

}

Despite the rewards being added to the rewardPool, they are never considered when determining the rewards that users receive. The openBox function uses hardcoded values for the reward distribution logic, bypassing the rewardPool entirely.

Impact

The addReward function becomes useless because the rewards added through it are never used in the actual reward distribution process. This also makes the rewardPool variable redundant and misleading, potentially confusing developers or auditors who expect it to be part of the reward logic.

Tools Used

Manual code review

Recommendations

Modify the openBox function to pull rewards dynamically from the rewardPool, ensuring that the rewards added via addReward are included in the distribution logic. For example, instead of hardcoding the rewards, you could select rewards randomly from the rewardPool.
If you decide to keep the current hardcoded reward system, consider removing the addReward function and the rewardPool variable entirely, as they are currently not serving any functional purpose.
Ensure proper documentation and clarity in the contract code to avoid confusion regarding how rewards are handled and distributed.

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Validated

Assigned finding tags:

addReward won't have any effect on openBox

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!