Potential Transaction Reversion Due to Dynamic Price Changes
Summary
The owner can change the price of mystery boxes at any time using the setBoxPrice function. This can lead to transaction reversion if the price is altered while a user is attempting to purchase a box with the buyBox function.
Vulnerability Details
The contract includes a setBoxPrice function that enables the owner to update box price.
The buyBox function requires users to send exactly the current boxPrice in Ether to successfully purchase a mystery box.
If the owner changes the boxPrice while a user is in the process of executing buyBox, the transaction will revert due to the require check for the exact price.
Impact
When the boxPrice changes during a transaction, it can result in the user’s transaction being reverted, causing them to lose gas fees while preventing the purchase of a mystery box. This could lead to user frustration and degrade the overall user experience, potentially discouraging users from participating.
Tools Used
Manual Review
Recommendations
To mitigate issues related to relying on a mutable boxPrice stored in the contract's state, you can pass the price as an argument to the buyBox function.
Passing the expected box price as an argument to the buyBox function enhances user awareness and transaction consistency, helping to mitigate issues related to dynamic price changes.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.