Mystery Box

Summary

This report identifies several vulnerabilities in the MysteryBox smart contract. The identified issues include a predictable randomness mechanism, an out-of-bounds index validation flaw, and a missing access control mechanism in the changeOwner function. These vulnerabilities can be exploited to manipulate rewards, access funds inappropriately, or take control of the contract.

Vulnerability Details

1. Predictable Randomness in openBox Function

• Code:

  uint256 randomValue = uint256(keccak256(abi.encodePacked(block.timestamp, msg.sender))) % 100;

• Description: The random number generation is based on block.timestamp and msg.sender, which are both publicly accessible and predictable values. An attacker can manipulate the block timestamp to influence the outcome of the randomness, thereby maximizing their chances of getting better rewards.

2. Incorrect Index Validation in claimSingleReward Function

• Code:

  require(_index <= rewardsOwned[msg.sender].length, "Invalid index");

• Description: The check allows _index to be equal to the length of the rewardsOwned[msg.sender] array. However, arrays are indexed from 0, and having an index equal to the length results in an out-of-bounds access, which can lead to errors.

3. Missing Access Control in changeOwner Function

• Code:

  function changeOwner(address _newOwner) public {

  owner = _newOwner;

  }

• Description: The function changeOwner lacks an access control check to verify that only the current owner can change the owner. This means that any user can call this function and take control of the contract, resulting in loss of ownership for the legitimate owner.

4 Reentrancy in claimAllRewards()and claimSingleReward(uint256)

Should delete rewardsOwned[msg.sender][_index] before transfer value.

Impact

1. Predictable Randomness: Attackers can manipulate randomness to guarantee favorable rewards, which undermines the fairness of the protocol and leads to disproportionate gains.

2. Out-of-Bounds Index: The incorrect index check can cause out-of-bounds errors, potentially leading to a denial of service or other unexpected behavior.

3. Unauthorized Ownership Change: Anyone can become the contract owner, allowing unauthorized individuals to withdraw funds or perform other privileged actions.

Tools Used

• VSCode

• Foundry

Recommendations

1. Secure Randomness

Replace the predictable randomness mechanism with a more secure source, such as Chainlink VRF or another oracle-based solution to provide unbiased and unpredictable randomness.

2. Correct Index Validation

Update the index validation in claimSingleReward function to:

This ensures that _index falls within the valid range of the array.

3. Add Access Control for changeOwner Function

Add an ownership check in the changeOwner function:

This ensures that only the current owner can transfer ownership, preventing unauthorized takeovers.