Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Valid

The protocol can have insufficient funds to payout users mystery boxes

coffee

Summary

If a user wins a mystery box worth more than the balance held in the protocol, then the user will not be able to claim their rewards that they won.

Vulnerability Details

For example, if the protocol starts with 0.1 ether; a user buys a mystery box for 0.1 ether, but they win a mystery box worth 1 ether, they will not be able to withdraw this reward.

Impact

Users will not receive the winnings from their mysterys boxes that they have won. This test fails with and OutOfFund error if the user wins a Silver or Gold mystery box.

function testOpenBoxAndClaimReward() public {
vm.deal(user1, 1 ether);
vm.prank(user1);
mysteryBox.buyBox{value: 0.1 ether}();
console.log("Before Open:", mysteryBox.boxesOwned(user1));
vm.prank(user1);
mysteryBox.openBox();
console.log("After Open:", mysteryBox.boxesOwned(user1));
assertEq(mysteryBox.boxesOwned(user1), 0);
vm.prank(user1);
MysteryBox.Reward[] memory rewards = mysteryBox.getRewards();
console2.log(rewards[0].name);
assertEq(rewards.length, 1);
vm.prank(user1);
mysteryBox.claimAllRewards();
assertEq(user1.balance, 1 ether);
assertEq(rewards.length, 0);
}

Tools Used

--Foundry

Recommendations

It is recommended to not allow users to buy mystery boxes if the protocol does not have at least the balance of the highest value mystery box.

function buyBox() public payable {
require(msg.value == boxPrice, "Incorrect ETH sent");
+ require(address(this).balance > 1 ether, "Insuffecient funds in the contract.");
boxesOwned[msg.sender] += 1;
}
Updates

Appeal created

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

Protocol should have a higher initial balance to prevent prize withdrawing problems

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.