Mystery Box

First Flight #25

Beginner FriendlyFoundry

100 EXP

View results

Previous Next

Submission Details

Severity: high

Invalid

Owner can call `MysteryBox::withdrawFunds`, removing all ETH from the contract even if their are outstanding rewards to be paid

BigDog

Description:

With withdrawFunds, the owner can withdraw all ETH from the MysteryBox contract. However, if users have pending rewards from opening boxes and have not yet called claimAllRewards or claimSingleReward, and the owner calls on withdrawFunds, then those users will not be able to be paid out.

Impact:

Users can miss out on their earned rewards; owner can effectively rugpull rewards from users, so long as they withdraw before the users can claim.

Proof of Concept:

function testWithdrawFundsWithRewardsOutstanding() public {

uint256 timestamp = block.timestamp;

// Brute-force approach to find the desired address

for (uint256 i = 0; i < 1000; i++) {

address testAddress = address(uint160(i));

uint256 randomValue = uint256(keccak256(abi.encodePacked(timestamp, testAddress))) % 100;

if (randomValue == 95) { // desired testAddress (msg.sender) to get silver reward

vm.startPrank(testAddress);

vm.deal(testAddress, 1 ether);

mysteryBox.buyBox{value: 0.1 ether}();

mysteryBox.openBox();

MysteryBox.Reward[] memory rewards = mysteryBox.getRewards();

console2.log(rewards[0].value);

vm.stopPrank();

// Owner withdraws all funds

vm.startPrank(owner);

mysteryBox.withdrawFunds();

vm.stopPrank();

vm.startPrank(testAddress);

console2.log(rewards[0].value);

mysteryBox.claimSingleReward(0);

vm.stopPrank();

break;

}

Recommended Mitigation:

It's not very fair to users to allow for a complete withdrawl of funds when there are still rewards left to be paid out, one solution could be to implement a claimsPeriod where users are encouraged to get their rewards but where withdraw is temporarily invalid.

Updates

Appeal created

inallhonesty Lead Judge about 1 year ago

Submission Judgement Published

Invalidated

Reason: Non-acceptable severity

Rewards breakdown

nSLOC

This contest has a flat reward structure with the following payouts:

High

100 EXP

Medium

20 EXP

Low

2 EXP

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!