Submission Details
Severity:
Pending rewards may exceed contract balance, causing failed transfers of rewards to users
Description:
MysteryBox::claimAllRewards and MysteryBox::claimSingleReward do not have checks to see if there is enough ETH in the contract to pay out the rewards.
Impact:
Users might try calling these functions in order to receive their rewards, but the transfers will revert as the contract does not have the ETH to pay.
Proof of Concept:
function testRewardsCanExceedContractHoldings() public {
uint256 timestamp = block.timestamp;
console.log(address(mysteryBox).balance); // MysteryBox starts w/ 1 ETH via deployment
// Brute-force approach to find the desired address
for (uint256 i = 0; i < 1000; i++) {
address testAddress = address(uint160(i));
uint256 randomValue = uint256(keccak256(abi.encodePacked(timestamp, testAddress))) % 100;
if (randomValue == 95) { // desired testAddress (msg.sender) to get silver reward
vm.startPrank(testAddress);
vm.deal(testAddress, 1 ether);
mysteryBox.buyBox{value: 0.1 ether}();
mysteryBox.openBox();
mysteryBox.buyBox{value: 0.1 ether}();
mysteryBox.openBox();
mysteryBox.buyBox{value: 0.1 ether}();
mysteryBox.openBox();
MysteryBox.Reward[] memory rewards = mysteryBox.getRewards(); // 3 silver rewards to claim = 1.5 ETH
console.log(address(mysteryBox).balance);
mysteryBox.claimAllRewards(); // reverts with OutOfFunds -> contract holds 1 ETH + 0.3 ETH from user buying boxes; 1.3 ETH in contract < 1.5 ETH in pending rewards
vm.stopPrank();
break;
}
}
}
Recommended Mitigation:
Implement a system that ensures the contract cannot issue rewards that exceed its balance (this could be a significant rewrite of the protocol).
Updates
Appeal created
inallhonesty about 1 year ago
Submission Judgement Published Assigned finding tags:
Protocol should have a higher initial balance to prevent prize withdrawing problems
Rewards breakdown
nSLOC
86This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.