Mystery Box

First Flight #25

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: low

Invalid

Lack of Input Validation in addReward

zibrasismail

Summary

The addReward function in the MysteryBox contract does not validate the input parameters, which could lead to unexpected behavior or potential exploitation.

Vulnerability Details

The addReward function allows the contract owner to add rewards to the reward pool. However, there is no validation on the input parameters, such as the reward name and value. This could lead to issues such as adding rewards with zero value or empty names, which might disrupt the reward distribution logic.

PoC

The vulnerable code is likely in the addReward function:

function addReward(string memory _name, uint256 _value) public onlyOwner {

require(msg.sender == owner, "Only owner can add rewards");

rewardPool.push(Reward(_name, _value));

}

Test Case Demonstrating Vulnerability:

function testLackOfInputValidationInAddReward() public {

// Get the initial reward count

uint256 initialRewardCount = mysteryBox.getRewardPool().length;

// Add a reward with an empty name

vm.prank(owner);

mysteryBox.addReward("", 1 ether);

// Add a reward with zero value

vm.prank(owner);

mysteryBox.addReward("Zero Value Reward", 0);

// Get the new reward count

uint256 newRewardCount = mysteryBox.getRewardPool().length;

// Check if the rewards were added

assertEq(

newRewardCount,

initialRewardCount + 2,

"Two rewards should have been added"

);

}

Impact

Adding rewards with invalid parameters could disrupt the reward distribution logic.
Malicious actors could add rewards with misleading or harmful parameters.

Tools Used

Manual code review

Recommendations

Add validation checks for the input parameters in the addReward function.

function addReward(string memory _name, uint256 _value) public onlyOwner {

require(bytes(_name).length > 0, "Reward name cannot be empty");

require(_value > 0, "Reward value must be greater than zero");

require(msg.sender == owner, "Only owner can add rewards");

rewardPool.push(Reward(_name, _value));

}

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!