Mystery Box

Summary

The setBoxPrice function allows the contract owner to adjust the boxPrice without restrictions. If the owner sets the boxPrice below the highest reward value (e.g., setting it below 0.5 ether for the “Gold Coin”), the revenue generated from selling boxes may not be sufficient to cover the costs of distributing high-value rewards. This imbalance can lead to the contract depleting its Ether reserves, especially since there is no mechanism to inject additional funds once the initial SEEDVALUE is exhausted.

Impact

Setting the boxPrice too low relative to the reward values can result in the contract running out of Ether needed to fulfill reward claims. When the contract lacks sufficient funds, users attempting to claim high-value rewards will encounter failed transactions. This not only frustrates users and erodes trust in the contract but also jeopardizes the sustainability of the entire ecosystem. Over time, the inability to honor reward claims can lead to a loss of user engagement and a tarnished reputation for the project.

POC

1. Deployment: Deploy the MysteryBox contract with an initial SEEDVALUE of 0.1 ether.

2. Set Box Price: The owner sets the boxPrice to a low value, such as 0.05 ether, using the setBoxPrice function.

3. Box Sales: Users purchase a significant number of boxes at the reduced price, accumulating funds in the contract.

4. Open Boxes: Users open boxes and attempt to claim high-value rewards.

5. Outcome: The contract’s Ether balance is insufficient to cover the high-value rewards, causing reward claims to fail and transactions to revert.

Tools Used

Manual review

Recommendations

• Enforce Minimum Box Price: Implement a minimum threshold for boxPrice that ensures it covers the highest possible reward value. For instance, set the boxPrice to be at least equal to the highest reward in the rewardPool.

• Add a receive function that accepts eth so the smart contract will be able to fund itself in case it ran out of ETH