Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: low
Valid

Rewards pool are different than rewards user can win

adamn000

Summary

In the constructor of MysteryBox contract owner of the contract create rewards pool. There are 4 rewards, and each of them has specific amount of ETH.

rewardPool.push(Reward("Gold Coin", 0.5 ether));
rewardPool.push(Reward("Silver Coin", 0.25 ether));
rewardPool.push(Reward("Bronze Coin", 0.1 ether));
rewardPool.push(Reward("Coal", 0 ether));

Vulnerability Details

If user buy a box, then he can open it to check to rewards using MysteryBox::openBox function. However, in this function amount of ETH assigned to each reward is different than in the constructor.

// Determine the reward based on probability
if (randomValue < 75) {
// 75% chance to get Coal (0-74)
rewardsOwned[msg.sender].push(Reward("Coal", 0 ether));
} else if (randomValue < 95) {
// 20% chance to get Bronze Coin (75-94)
rewardsOwned[msg.sender].push(Reward("Bronze Coin", 0.1 ether));
} else if (randomValue < 99) {
// 4% chance to get Silver Coin (95-98)
rewardsOwned[msg.sender].push(Reward("Silver Coin", 0.5 ether));
} else {
// 1% chance to get Gold Coin (99)
rewardsOwned[msg.sender].push(Reward("Gold Coin", 1 ether));
}

Gold Coin - 0.5 ETH in the constructor, 1 ETH in the openBox

Silver Coin - 0.25 ETH in the constructor, 0.5 ETH in the openBox

Impact

Rewards win by the user will be different (higher) than owner assumed on the begining.

Tools Used

Manual Review

Recommendations

Change values in the MysteryBox::openBox function for Silver Coin and Gold Coin rewards.

Updates

Appeal created

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Validated
Assigned finding tags:

The rewards in constructor are different from the rewards in openBox

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.