Submission Details
Severity:
Reentrancy in MysteryBox::claimSingleReward allows to withdraw all funds from the contract
Summary
Function MysteryBox::claimSingleRewarddoes not follow CEI pattern and this allows to re-enter to the function and claim rewards again before the rewards array for the user is deleted.
Vulnerability Details
Function MysteryBox::claimSingleReward deletes a reward from the rewardsOwned array after sending the reward to the user:
function claimSingleReward(uint256 _index) public {
require(_index <= rewardsOwned[msg.sender].length, "Invalid index");
uint256 value = rewardsOwned[msg.sender][_index].value;
require(value > 0, "No reward to claim");
(bool success,) = payable(msg.sender).call{value: value}("");
require(success, "Transfer failed");
delete rewardsOwned[msg.sender][_index];
}
This allows to re-enter to the function and claim the rewards again.
Impact
An attacker can withdraw all funds from the contract.
Tools Used
Manual review
Recommendations
Change the function to follow CEI pattern as below:
function claimSingleReward(uint256 _index) public {
require(_index <= rewardsOwned[msg.sender].length, "Invalid index");
uint256 value = rewardsOwned[msg.sender][_index].value;
require(value > 0, "No reward to claim");
+ delete rewardsOwned[msg.sender][_index];
(bool success,) = payable(msg.sender).call{value: value}("");
require(success, "Transfer failed");
- delete rewardsOwned[msg.sender][_index];
}
Updates
Appeal created
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
`claimSingleReward` reentrancy
Rewards breakdown
nSLOC
86This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.