Loss of Rewards in transferReward
Summary
In the transferReward function, the reward is deleted from rewardsOwned[msg.sender] using delete rewardsOwned[msg.sender][_index]. This does not shift the array, so the array will have gaps. This could lead to unintended behavior when interacting with the rewards array.
Vulnerability Details
MysteryBox.sol/Line 76
Impact
Users might lose rewards or experience inconsistent behavior when trying to transfer or claim rewards due to empty array slots caused by the delete operation.
Tools Used
Foundry
Recommendations
Consider using array shifting or swapping the last element with the deleted one before removing it to ensure proper handling of the array.
Appeal created
A user can poison the `rewardsOwned` of another user via `transferReward` of an empty reward index
A user can poison the `rewardsOwned` of another user via `transferReward` of an empty reward index
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.