Summary

The addReward() and openBox() functions in the MysteryBox contract introduce an issue where newly added rewards are not being properly distributed to users. After calling addReward(), the new rewards cannot be assigned to any user when opening a box, which breaks the reward distribution logic.

Vulnerability Details

• addReward(): This function allows the contract owner to add new rewards to the reward pool. However, the logic in the openBox() function does not dynamically account for the added rewards, meaning newly added rewards are not included in the reward assignment process.

• openBox(): This function generates a random value to assign predefined rewards based on fixed conditions (coal, bronze, silver, and gold). It does not dynamically update to accommodate newly added rewards from the addReward() function, effectively rendering those rewards unavailable to users.

Impact

Newly added rewards are inaccessible.

Inconsistent reward distribution.

Tools Used

Manual review

Recommendations

Modify the openBox() function to dynamically select rewards from the rewardPool array. This can be done by introducing a weighted random selection based on the size of the reward pool.

By dynamically adjusting the reward distribution logic, the contract will correctly handle any rewards added by the owner and will ensure users can receive them.