Mystery Box

Summary

The current implementation of the MysteryBox contract uses a hardcoded reward distribution with fixed probabilities, and there is no function to update these probabilities when new rewards are added via the addReward() function. As a result, any new rewards added by the owner will not be distributed to users because the existing probability logic does not account for them. This limitation reduces the protocol’s flexibility and scalability, effectively rendering newly added rewards unusable.

Vulnerability Details

The reward distribution in the openBox() function is based on hardcoded probabilities:

This distribution assigns fixed probabilities:

• 75% for Coal

• 20% for Bronze Coin

• 4% for Silver Coin

• 1% for Gold Coin

However, when new rewards are added through the addReward() function, there is no mechanism to update the reward selection logic. The current fixed percentages prevent any newly added rewards from being distributed, making them unusable.

Impact

This issue significantly impacts the scalability of the protocol:

• For the owner: Adding new rewards becomes ineffective because the system doesn't integrate them into the reward distribution.

• For users: They will not receive any newly added rewards, which could frustrate players who expect fresh updates or new rewards to be accessible.

• For the protocol: This lack of flexibility limits the contract’s ability to evolve and adjust its reward system over time, reducing long-term sustainability and adaptability.

Tools Used

Manual code review

Recommendations

To resolve this issue, implement a dynamic probability adjustment mechanism that accounts for all rewards, including newly added ones. Each reward should have an associated probability, and the total probability should be recalculated whenever a new reward is added.