Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Improper Index Bound Check in claimSingleReward()

devvmichael

Summary

The index check in claimSingleReward() is off by one, potentially allowing out-of-bounds access.

Vulnerability Details

Affected Code:

function claimSingleReward(uint256 _index) public {
require(_index <= rewardsOwned[msg.sender].length, "Invalid index");
// ...
}

  • Issue: Arrays are zero-indexed; the valid indices are from 0 to length - 1.

  • Consequence: If _index == length, it exceeds the array bounds.

A Scenario

  1. User Action:

    • Calls claimSingleReward() with _index equal to rewardsOwned[msg.sender].length.

  2. Result:

    • The function attempts to access an element beyond the array's end.

    • May cause a runtime error or unexpected behavior and might revert the transaction potentially giving bad UX for a user.

Reference to Test Code

We can write a test to demonstrate this issue:

function testClaimSingleReward_InvalidIndex() public {
vm.prank(user1);
// Assuming rewardsOwned[user1].length == 0
vm.expectRevert("Invalid index");
mysteryBox.claimSingleReward(0); // Should revert since there are no rewards
}

Even if the user has rewards, passing an index equal to length should fail.

Impact

  • Runtime Errors: Potential for contract execution failures.

  • Security Risks: May expose unintended data or cause unexpected behavior.

Tools Used

  • Manual Code Review: Identified the incorrect index condition.

  • Testing Framework (Foundry): Wrote Tests to confirm the vulnerability.

Recommendations

Correct the index check:

require(_index < rewardsOwned[msg.sender].length, "Invalid index");
Updates

Appeal created

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.

Give us feedback!