Mystery Box

First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Submission Details
Severity: high
Valid

claimSingleReward() does not follow CEI, thus suffer of reentrancy issue

Summary

The function `claimSingleReward()` suffers from reentrancy, meaning a malicious smart contract can reenter the functions and withdraw all funds.

Vulnerability Details

  1. A user deploys a malicious smart contract that will buy a box and open it until it gets one with a prize

  2. User call malicious smart contracts to call claimSingleReward(indexWinningPrize)with the index of a winning prize

  3. The `fallback()` function of the malicious smart contract call claimSingleReward(indexWinningPrize) until there is no more fun

Impact

Withdraw all funds from the protocol

Recommendations

Follow CEI pattern:

function claimSingleReward(uint256 _index) public {
require(_index <= rewardsOwned[msg.sender].length, "Invalid index");
uint256 value = rewardsOwned[msg.sender][_index].value;
require(value > 0, "No reward to claim");
+. delete rewardsOwned[msg.sender][_index];
//@audit possible to reenter here as well
(bool success,) = payable(msg.sender).call{value: value}("");
require(success, "Transfer failed");
- delete rewardsOwned[msg.sender][_index];
}
Updates

Appeal created

inallhonesty Lead Judge 9 months ago
Submission Judgement Published
Validated
Assigned finding tags:

`claimSingleReward` reentrancy

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.