Mystery Box

Description

The withdrawFunds function in the MysteryBox contract allows the contract owner to withdraw all Ether from the contract without checking if there are any pending rewards owed to users. This lack of verification means that the owner can deplete the contract’s balance even when users have accumulated rewards that they are entitled to claim, and boxes that they can open, As a result, withdrawing funds under these conditions can prevent users from successfully transferring or claiming their rewards.

Impact

Allowing the owner to withdraw funds without ensuring that all user rewards have been fulfilled and all boxes have been opened can lead to several issues:

• Failed Reward Claims: Users attempting to claim their rewards will encounter failed transactions due to insufficient contract balance, leading to frustration and loss of trust.

• Financial Loss for Users: Users who have purchased boxes and are expecting rewards may suffer financial losses if they are unable to claim their accumulated rewards.

• Erosion of Trust: The inability to fulfill reward claims can damage the contract’s reputation, discouraging current and potential users from participating.

• Contract Sustainability Risks: Continuous withdrawals without adequate funds to cover rewards can render the contract non-functional over time, undermining its intended purpose.

PoC

1. Deployment:

Deploy the MysteryBox contract with an initial SEEDVALUE of 0.1 ether.

2. Box Purchase and Reward Accumulation:

Users purchase boxes by calling the buyBox function and accumulate rewards by opening boxes using the openBox function.

3. Owner Withdraws Funds:

While users have pending rewards in their rewardsOwned mappings, and boxes which are not opened yet, the owner calls the withdrawFunds function to transfer all Ether from the contract to their address.

4. Attempt to Claim Rewards:

Users attempt to claim their rewards by calling claimAllRewards or claimSingleReward.

5. Outcome:

Since the contract’s Ether balance has been depleted by the owner’s withdrawal, reward claims fail due to insufficient funds, causing transactions to revert and users to be unable to receive their rewards.

Tools Used

• Manual review

Recommendations

Implement a Check for Pending Rewards Before Withdrawal:

Modify the withdrawFunds function to ensure that there are no pending rewards or unopened boxes before allowing the owner to withdraw funds. This can be achieved by maintaining a totalPendingRewards counter that tracks the total value of all pending rewards