Submission Details
Severity:
Mismatch Between Advertised Rewards in rewardPool and Actual Rewards Given in openBox Misleads Players
## Summary
The rewards defined in the `rewardPool` array during the contract's construction do not match the rewards being awarded by the `openBox` function. This inconsistency between the defined rewards and the rewards actually given out can create confusion and reduce trust in the protocol.
## Vulnerability Details
During the contract's construction, various rewards are pushed into the `rewardPool` array, which is made public so that players can view the available rewards before participating. However, when the `openBox` function is called, it awards different rewards that do not align with the rewards listed in the `rewardPool` array. This discrepancy between the public rewards advertised and the actual rewards distributed can lead to potential misunderstandings, and players may feel misled about the rewards they are eligible to receive.
```javascript
constructor() payable {
owner = msg.sender;
boxPrice = 0.1 ether;
require(msg.value >= SEEDVALUE, "Incorrect ETH sent");
// Initialize with some default rewards
@> rewardPool.push(Reward("Gold Coin", 0.5 ether));
@> rewardPool.push(Reward("Silver Coin", 0.25 ether));
rewardPool.push(Reward("Bronze Coin", 0.1 ether));
rewardPool.push(Reward("Coal", 0 ether));
}
function openBox() public {
require(boxesOwned[msg.sender] > 0, "No boxes to open");
// Generate a random number between 0 and 99
uint256 randomValue = uint256(keccak256(abi.encodePacked(block.timestamp, msg.sender))) % 100;
// Determine the reward based on probability
if (randomValue < 75) {
// 75% chance to get Coal (0-74)
rewardsOwned[msg.sender].push(Reward("Coal", 0 ether));
} else if (randomValue < 95) {
// 20% chance to get Bronze Coin (75-94)
rewardsOwned[msg.sender].push(Reward("Bronze Coin", 0.1 ether));
} else if (randomValue < 99) {
// 4% chance to get Silver Coin (95-98)
@> rewardsOwned[msg.sender].push(Reward("Silver Coin", 0.5 ether));
} else {
// 1% chance to get Gold Coin (99)
@> rewardsOwned[msg.sender].push(Reward("Gold Coin", 1 ether));
}
boxesOwned[msg.sender] -= 1;
}
```
## Impact
This inconsistency can create a significant misalignment between players' expectations and the actual outcomes of playing the game. Players may check the `rewardPool` and expect a certain set of rewards, only to discover that the rewards they receive after playing are different from what was advertised. This breaks the core principle of transparency in the protocol and damages its credibility, making the protocol appear deceptive or malicious by misleading players about the potential rewards.
## Tools Used
<details>
<summary>Proof of Concept</summary>
For example, According to the `rewardPool` array "Gold Coin" reward is 0.5 ether but in the `openBox` function "Gold Coin" reward is 1 ether. Same issue is with "Silver Coin".
</details>
## Recommendations
Following changes to the `openBox` function would suffice.
```diff
function openBox() public {
require(boxesOwned[msg.sender] > 0, "No boxes to open");
// Generate a random number between 0 and 99
uint256 randomValue = uint256(keccak256(abi.encodePacked(block.timestamp, msg.sender))) % 100;
// Determine the reward based on probability
if (randomValue < 75) {
// 75% chance to get Coal (0-74)
rewardsOwned[msg.sender].push(Reward("Coal", 0 ether));
} else if (randomValue < 95) {
// 20% chance to get Bronze Coin (75-94)
rewardsOwned[msg.sender].push(Reward("Bronze Coin", 0.1 ether));
} else if (randomValue < 99) {
// 4% chance to get Silver Coin (95-98)
- rewardsOwned[msg.sender].push(Reward("Silver Coin", 0.5 ether));
+ rewardsOwned[msg.sender].push(Reward("Silver Coin", 0.25 ether));
} else {
// 1% chance to get Gold Coin (99)
- rewardsOwned[msg.sender].push(Reward("Gold Coin", 1 ether));
+ rewardsOwned[msg.sender].push(Reward("Gold Coin", 0.5 ether));
}
boxesOwned[msg.sender] -= 1;
}
```
Updates
Appeal created
inallhonesty 11 months ago
Submission Judgement Published Assigned finding tags:
The rewards in constructor are different from the rewards in openBox
Rewards breakdown
nSLOC
86This contest has a flat reward structure with the following payouts:
100 EXP
20 EXP
2 EXP
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.