Mystery Box

Summary

The claimAllRewards function in the MysteryBox contract contains an unbounded for loop that iterates over the rewardsOwned[msg.sender] array to calculate the total value of rewards a user can claim:

Impact

1. Transaction Failures:

• User Experience: Users with a large number of rewards may find themselves unable to claim their rewards as the claimAllRewards function may run out of gas, causing the transaction to revert.

2. Contract Usability:

• Scalability Issues: As the number of rewards per user increases, the contract becomes less scalable, limiting its ability to handle a growing user base effectively.

3. Financial Implications:

• Unclaimed Rewards: Users may accumulate rewards that they are unable to claim, leading to unfulfilled obligations by the contract.

PoC

1. Deployment:

• Deploy the MysteryBox contract on a testnet with an initial SEEDVALUE of 0.1 ether.

2. Reward Accumulation:

• Simulate a user acquiring a large number of rewards by repeatedly calling the openBox function to push multiple rewards into rewardsOwned[msg.sender].

3. Claiming Rewards:

• Attempt to call the claimAllRewards function with a significantly large rewardsOwned[msg.sender] array.

4. Observation:

• The transaction is likely to fail due to exceeding the block gas limit, resulting in a “out of gas” error.

5. Outcome:

• The user is unable to claim their rewards, leading to failed transactions and unfulfilled reward claims.

Tools Used

• **Manual Code Review: **Analyzing the smart contract’s source code to identify the presence of unbounded loops and their potential impact on gas consumption.

Recommendations

• Implement a Pull Over Push Pattern: Instead of calculating the total rewards within a loop, allow users to claim their rewards incrementally. For example, users can claim rewards in smaller batches (providing an array of miltiple boxes indexes) to manage gas consumption effectively.