Mystery Box

Summary

The SEEDVALUE is defined as a constant with a fixed value of 0.1 ether. This means that once the contract is deployed, the initial funding cannot be increased beyond this value. If the rewards distributed by the contract accumulate to a total value that surpasses the funds generated from selling boxes, the contract will lack sufficient Ether to honor reward claims. This limitation restricts the contract’s ability to scale and support a growing ecosystem where rewards may need to be more substantial than the initial funding.

Impact

If the rewards’ total value exceeds the contract’s available Ether, users will be unable to claim their rewards, leading to failed transactions and loss of user trust. This scenario can render the contract ineffective, as it would no longer be able to fulfill its primary purpose of distributing rewards. Additionally, it may discourage users from purchasing boxes if they perceive a high risk of not receiving rewards, ultimately affecting the contract’s adoption and sustainability.

PoC

1. Deployment: Deploy the MysteryBox contract with exactly 0.1 ether as the SEEDVALUE.

2. Reward Claims: A user purchase a box for 0.1ETH and opens it, attempting to claim rewards, and we assume that he won 0.5ETH.

4. Outcome: The contract lacks sufficient Ether to distribute the reward (it has 0.1 SEEDVALUE + 0.1 Boxe purchase = 0.2ETH, and the user should receive 0.5ETH), resulting in failed reward claim and reverted transactions.

This might happen anytime and after a lot of buys as well, so we need a mechanism to add more ETH to the smart contract.

Tolls used

Manual review

Recommendations

Add a receive function to receive eth and support the smart contract in case the odds are making the buyers claim more than what they pay to buy a box.