Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

`MysteryBox::addReward` allows owner to create new reward with name and value, but cannot update 'probabilities' of rewards, so that newly added rewards can never be won

BigDog

Description:

The owner can successfully add rewards by calling addReward, but even though this new reward will be added to the rewardPool this does not update the probabilities associated with each reward as described in MysteryBox::openBox.

if (randomValue < 75) {
// 75% chance to get Coal (0-74)
rewardsOwned[msg.sender].push(Reward("Coal", 0 ether));
} else if (randomValue < 95) {
// 20% chance to get Bronze Coin (75-94)
rewardsOwned[msg.sender].push(Reward("Bronze Coin", 0.1 ether));
} else if (randomValue < 99) {
// 4% chance to get Silver Coin (95-98)
rewardsOwned[msg.sender].push(Reward("Silver Coin", 0.5 ether));
} else {
// 1% chance to get Gold Coin (99)
rewardsOwned[msg.sender].push(Reward("Gold Coin", 1 ether)); // @audit mismatch -> constructor has 0, 0.1, 0.25, 0.5
}

Impact:

While the owner can add new rewards to rewardPool, these newly created rewards will not be winnable by users.

Proof of Concept:

  1. owner adds a new reward addReward("Diamond Coin", 2 ether);.

  2. this reward is added to the list of rewards rewardPool.push(Reward(_name, _value));

  3. still, without openBox being updated to reflect the new reward, the user still has a 75% chance of coal, 20% bronze, 4% silver, and 1% gold (and 0% diamond).

Recommended Mitigation:

One solution could be to expand the Reward struct to include the probablities of each reward, and then to add a function to allow for the removal or editing of existing.

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Validated
Assigned finding tags:

addReward won't have any effect on openBox

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!