[H-3]: The `MysteryBox::withdrawFunds` function lacks check for funds that have been won but not yet withdrawn
Summary
The function MysteryBox::withdrawFunds allows the owner of the contract to withdraw the whole balance of the protocol regardless of whether there are still wins to be claimed.
Vulnerability Details
The function does not check if there are any distributed, unopened boxes nor if all the winnings have already been claimed. The owner can therefore withdraw all funds from the protocol despite there may still be some winnings to be claimed.
Proof-of-Concept
User enters the MysteryBox competition and purchases 5 boxes for 0.1 ETH each.
The user starts opening the boxex to find winnings totalling at 1.5 ETH.
Before the user claims the prize, the owner calls the
MysteryBox::withdrawFundsfunction that will send the whole contract balance (0.5 ETH) to the owner's addressSince the contract's balance is zero, the user is unable to claim its winnings making the protocol a fraud
Tools Used
Static analysis
Recommendations
Add checks to ensure all winnings were paid before the funds were withdrawn by the owner. There is also a check needed for the unopened boxes.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.