Submission Details
Severity:
Owner can call `MysteryBox::setBoxPrice` with a value below `SEEDVALUE`, disallowing any further purchases of boxes
Description:
SEEDVALUE is a constant set to 0.1 ETH and is presumably meant to maintain a minimum box price. However, if the owner sets the box price to a small value below SEEDVALUE, then due to a require statement in the constructor users will no longer be able to purchase boxes.
// constructor
require(msg.value >= SEEDVALUE, "Incorrect ETH sent");
Impact:
Given SEEDVALUE is set as a constant at 0.1 ETH, buyBox will revert if the owner sets the box price below 0.1 ETH, such that users will not be able to buy any more boxes.
Proof of Concept:
function testBoxPriceBelowSeedDoesntAllowPurchasing() public {
uint256 newPrice = 0.05 ether;
vm.startPrank(owner);
mysteryBox.setBoxPrice(newPrice);
assertEq(mysteryBox.boxPrice(), newPrice);
vm.expectRevert("Incorrect ETH sent");
mysteryBox.buyBox();
vm.stopPrank();
}
Recommended Mitigation:
Add a check in setBoxPrice so that _price cannot be set below SEEDVALUE:
function setBoxPrice(uint256 _price) public {
+ require(_price >= SEEDVALUE, "Box price cannot be below SEEDVALUE");
require(msg.sender == owner, "Only owner can set price");
boxPrice = _price;
}
Rewards breakdown
nSLOC
86This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.