Submission Details
Severity:
rewardPool is meaningless.
Summary
rewardPool is meaningless.
Vulnerability Details
In this contract, rewardPool seems to define the types of rewards, and allows the owner to add types of rewards externally.
The list of kinds of rewards is configured, but when opening the box, the code related with rewards are hard coded, so rewardPool has no real meaning.
...
constructor() payable {
owner = msg.sender;
boxPrice = 0.1 ether;
require(msg.value >= SEEDVALUE, "Incorrect ETH sent");
// Initialize with some default rewards
rewardPool.push(Reward("Gold Coin", 0.5 ether)); [found]
rewardPool.push(Reward("Silver Coin", 0.25 ether)); [found]
rewardPool.push(Reward("Bronze Coin", 0.1 ether)); [found]
rewardPool.push(Reward("Coal", 0 ether)); [found]
}
...
function addReward(string memory _name, uint256 _value) public {
require(msg.sender == owner, "Only owner can add rewards");
rewardPool.push(Reward(_name, _value));
}
...
function openBox() public {
require(boxesOwned[msg.sender] > 0, "No boxes to open");
// Generate a random number between 0 and 99
uint256 randomValue = uint256(keccak256(abi.encodePacked(block.timestamp, msg.sender))) % 100;
// Determine the reward based on probability
if (randomValue < 75) {
// 75% chance to get Coal (0-74)
rewardsOwned[msg.sender].push(Reward("Coal", 0 ether));
} else if (randomValue < 95) {
// 20% chance to get Bronze Coin (75-94)
rewardsOwned[msg.sender].push(Reward("Bronze Coin", 0.1 ether));
} else if (randomValue < 99) {
// 4% chance to get Silver Coin (95-98)
rewardsOwned[msg.sender].push(Reward("Silver Coin", 0.5 ether));
} else {
// 1% chance to get Gold Coin (99)
rewardsOwned[msg.sender].push(Reward("Gold Coin", 1 ether));
}
boxesOwned[msg.sender] -= 1;
}
Impact
This may cause backlash from users as the contract does not operate according to the compensation rules set by the owner.
Tools Used
Manual Review
Recommendations
It can be changed the openBox function to input the rewardsOwned value based on the value set in rewardPool.
Updates
Appeal created
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
addReward won't have any effect on openBox
Rewards breakdown
nSLOC
86This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.