Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Missing Zero Address Checks in owner change and reward transfer

elvin_a_block

Summary

The MysteryBox contract lacks zero address checks in the changeOwner and transferReward functions. This omission could potentially lead to accidental loss of ownership or rewards if these functions are called with the zero address as an argument.

Vulnerability Details

The MysteryBox contract contains two functions that lack crucial zero address checks:

  1. In the changeOwner function:

function changeOwner(address _newOwner) public {
@> owner = _newOwner;
}

This function allows changing the owner without verifying that the new owner address is not the zero address.

  1. In the transferReward function:

function transferReward(address _to, uint256 _index) public {
require(_index < rewardsOwned[msg.sender].length, "Invalid index");
@> rewardsOwned[_to].push(rewardsOwned[msg.sender][_index]);
delete rewardsOwned[msg.sender][_index];
}

This function allows transferring rewards without checking if the recipient address is the zero address.

The absence of these checks could lead to unintended loss of contract ownership or rewards being sent to an unrecoverable address.

Impact

The lack of zero address checks in these functions can lead to several serious consequences:

  1. Loss of Contract Ownership: If the changeOwner function is called with the zero address (0x0) as the _newOwner, either accidentally or maliciously, the contract would become effectively ownerless. This would render all owner-specific functions (like setBoxPrice, addReward, and withdrawFunds) permanently inaccessible, potentially locking funds and functionality.

  2. Irretrievable Rewards: If the transferReward function is called with the zero address as the _to parameter, the reward would be transferred to an address that no one controls. This would result in the permanent loss of that reward, as it cannot be retrieved from the zero address.

  3. User Frustration and Loss of Trust: Users who accidentally input the zero address when transferring rewards would lose their rewards with no way to recover them. This could lead to frustration and a loss of trust in the platform.

  4. Potential for Abuse: Malicious actors could exploit these vulnerabilities to intentionally "burn" rewards or render the contract inoperable by changing the owner to the zero address.

While these scenarios might be rare, their potential impact is severe enough to warrant attention and mitigation.

Tools Used

  • Manual review of the smart contract code

Recommendations

To mitigate these vulnerabilities, it is recommended to implement zero address checks in both the changeOwner and transferReward functions. Here are the suggested modifications:

  1. For the changeOwner function:

function changeOwner(address _newOwner) public {
+ require(_newOwner != address(0), "New owner cannot be the zero address");
owner = _newOwner;
}

  1. For the transferReward function:

function transferReward(address _to, uint256 _index) public {
require(_index < rewardsOwned[msg.sender].length, "Invalid index");
+ require(_to != address(0), "Cannot transfer reward to the zero address");
rewardsOwned[_to].push(rewardsOwned[msg.sender][_index]);
delete rewardsOwned[msg.sender][_index];
}

These changes will prevent the assignment of the zero address as the new owner and the transfer of rewards to the zero address, respectively.

Updates

Appeal created

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.