The addReward()
and openBox()
functions in the MysteryBox
contract introduce an issue where newly added rewards are not being properly distributed to users. After calling addReward()
, the new rewards cannot be assigned to any user when opening a box, which breaks the reward distribution logic.
addReward(): This function allows the contract owner to add new rewards to the reward pool. However, the logic in the openBox() function does not dynamically account for the added rewards, meaning newly added rewards are not included in the reward assignment process.
openBox(): This function generates a random value to assign predefined rewards based on fixed conditions (coal, bronze, silver, and gold). It does not dynamically update to accommodate newly added rewards from the addReward() function, effectively rendering those rewards unavailable to users.
Newly added rewards are inaccessible.
Inconsistent reward distribution.
Manual review
Modify the openBox() function to dynamically select rewards from the rewardPool array. This can be done by introducing a weighted random selection based on the size of the reward pool.
By dynamically adjusting the reward distribution logic, the contract will correctly handle any rewards added by the owner and will ensure users can receive them.
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.