The function `claimAllRewards` suffers from reentrancy, meaning a malicious smart contract can reenter the functions and withdraw all funds.
a user deploys a malicious smart contract that will buy a box and open it until it gets one with a prize
User call malicious smart contract to call claimAllRewards()
The `fallback()` function of the malicious smart contract call claimAllRewards()
until there is no more fund
Withdraw all funds from the protocol
Follow CEI :
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.