Submission Details
Severity:
Rewards added by the owner can not be won
Summary
After the contract is deployed, there are 4 rewards which users can gets from mystery box. Owner can add rewards using MysteryBox::addReward function.
Vulnerability Details
Unfortunately, there is no possibility to win rewards added later by the owner, beacuse function MysteryBox::openBox has only four options to win rewards which was declared during contract deploy.
// Determine the reward based on probability
if (randomValue < 75) {
// 75% chance to get Coal (0-74)
rewardsOwned[msg.sender].push(Reward("Coal", 0 ether));
} else if (randomValue < 95) {
// 20% chance to get Bronze Coin (75-94)
rewardsOwned[msg.sender].push(Reward("Bronze Coin", 0.1 ether));
} else if (randomValue < 99) {
// 4% chance to get Silver Coin (95-98)
rewardsOwned[msg.sender].push(Reward("Silver Coin", 0.5 ether));
} else {
// 1% chance to get Gold Coin (99)
rewardsOwned[msg.sender].push(Reward("Gold Coin", 1 ether));
}
Impact
No possibility to win rewards added by the owner.
Tools Used
Manual review
Recommendations
Updates
Appeal created
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
addReward won't have any effect on openBox
Rewards breakdown
nSLOC
86This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.