`Coal` Reward Value Is Zero and May Provide No Benefit to the User
Summary
The Coal reward in the MysteryBox contract is assigned a value of 0 ether, which provides no actual reward to the user. This may lead to dissatisfaction since users are paying for mystery boxes and may receive something of no value in return.
Vulnerability Details
In both the constructor and the openBox function, Coal is assigned a reward value of 0 ether. Although the protocol specifies that this is a "random reward", receiving something with no monetary value may be illogical from a user-experience perspective. This could result in negative sentiment or disincentivize users from engaging with the contract.
Impact
Users may feel misled or frustrated after paying for mystery boxes and receiving a reward of no value. This could decrease participation in the protocol and harm its reputation.
Tools Used
Manual Code Review
Recommendations
Consider assigning a minimal reward value to Coal or implementing an alternative mechanism that avoids providing zero-value rewards entirely. Alternatively, update the logic so that users understand they might receive no valuable reward.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.