Lack of removeReward() Function Prevents Owner from Correcting Mistakenly Added Rewards
Summary
The MysteryBox contract currently allows the owner to add rewards to the reward pool via the addReward() function, but there is no way for the owner to remove a reward once it has been added. This can be problematic if the owner accidentally adds a reward with an incorrect name or value. Without a removeReward() function, the owner has no way to rectify such mistakes, potentially resulting in incorrect rewards being distributed to users. A secure and restricted removeReward() function should be implemented to allow the owner to manage the reward pool effectively and maintain the integrity of the reward distribution process.
Vulnerability Details
The lack of a removeReward() function limits the owner's ability to correct mistakes in reward entries. For example, if the owner mistakenly adds a reward with the wrong name (e.g., "Gold Coin" instead of "Silver Coin") or an incorrect value (e.g., 1 Ether instead of 0.5 Ether), the reward pool will contain incorrect entries that could negatively impact the fairness of the system and the expected outcomes for users.
The absence of a way to remove rewards also introduces an administrative burden, as the owner cannot maintain an accurate reward pool without adding potentially unnecessary logic to "ignore" incorrect rewards.
Example Scenario:
-
Initial Setup:
The owner accidentally adds a reward to the reward pool with the wrong name or price (e.g., "Silver Coin" instead of "Gold Coin").
-
Execution:
The owner realizes the mistake but cannot remove the incorrect reward from the pool.
Users may receive the incorrect reward when opening boxes, which can lead to dissatisfaction and mistrust.
-
Outcome:
Without a
removeReward()function, the owner is forced to leave the incorrect reward in the pool or implement unnecessary logic to ignore it, both of which could affect the fairness of the system.
Impact
Administrative Difficulty: The owner cannot correct mistakes in the reward pool, leading to incorrect rewards being distributed to users.
User Confusion: Users may receive rewards with incorrect names or values, which could lead to confusion and dissatisfaction.
Lack of Flexibility: The contract does not provide the owner with the flexibility needed to manage the reward pool effectively.
Steps to Reproduce the Issue:
Step 1: The owner adds a reward to the
rewardPoolwith an incorrect name or value.Step 2: The owner tries to correct the mistake but finds there is no function to remove the reward.
Expected Outcome: The owner should be able to remove the incorrect reward and add a new one with the correct details.
Actual Outcome: The incorrect reward remains in the pool, potentially affecting the fairness of the reward distribution process.
Tools Used
Manual review
Recommendations
The function should only be callable by the contract owner and should include the following features:
This implementation includes ownership checks and index validation to ensure that the function can only be called by the owner and that the reward index is valid. The "swap and pop" method ensures that rewards are removed efficiently without leaving gaps in the rewardPool.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.