Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Invalid

Function `transferReward` lacks important implementation for trading rewards

appet

Summary

As per the intended by the protocol (see README -> user role), transferRewardfunction is intended to be used for*** trading*** rewards with other users. Trading as a concept needs an exchange of objects or objects for payment.

Vulnerability Details

There is no line of code that would enable some kind of Ether/token-for-reward exchange. We can see that the only functionality is to transfer certain rewardsOwned by the msg.senderto an address. By doing this the msg.sender essentially gives away his prize for free and on top pays the gas fees for the transaction.

function transferReward(address _to, uint256 _index) public {
require(_index < rewardsOwned[msg.sender].length, "Invalid index");
rewardsOwned[_to].push(rewardsOwned[msg.sender][_index]);
delete rewardsOwned[msg.sender][_index];
}

Impact

The project advertises trading functionality but has no such implemented, thus misleading potential users.

Tools Used

Manual review

Recommendations

The function needs additional logic implemented for handling Ether/token-for-reward exchange.

Updates

Appeal created

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.