Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

No Min/Max Limit for Box Price

0xgee001

Summary

The setBoxPrice() function allows the owner to set the price of mystery boxes without any checks for minimum or maximum limits. While the owner is considered a trusted actor, there is still a risk that the price could be set too high or too low accidentally, leading to unintended consequences for the protocol and its users.

Vulnerability Details

The setBoxPrice() function is implemented as follows:

function setBoxPrice(uint256 _price) public {
require(msg.sender == owner, "Only owner can set price");
boxPrice = _price;
}

This allows the owner to set the price to any value, including zero or an extremely high price. Although the owner is trusted, an accidental misconfiguration could make the boxes free or set them to an unreasonably high price, both of which can negatively impact the protocol.

Impact

An incorrect box price (e.g., accidentally set to 0) could result in users acquiring unlimited boxes for free, leading to depletion of rewards. On the other hand, an excessively high price could prevent users from purchasing boxes, diminishing user participation and harming the protocol’s viability.

Tools Used

Manual code review

Recommendations

Implement minimum and maximum constraints on the box price to safeguard against accidental misconfigurations:

uint256 constant MIN_PRICE = 0.01 ether;
uint256 constant MAX_PRICE = 1 ether;
function setBoxPrice(uint256 _price) public {
require(msg.sender == owner, "Only owner can set price");
require(_price >= MIN_PRICE && _price <= MAX_PRICE, "Price must be between 0.01 and 1 Ether");
boxPrice = _price;
}
Updates

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!