Mystery Box

Summary

The MysteryBox smart contract presents a significant economic design flaw that negatively affects the user experience and the long-term viability of the protocol. Specifically, the probability distribution for rewards overwhelmingly favors a reward with zero ether value, leading to a high likelihood that users will receive nothing of value despite paying a fixed amount of 0.1 ether per box. This flaw undermines user trust and engagement, while disproportionately benefiting the contract owner.

Vulnerability Details
The openBox() function in the contract determines which reward users receive after purchasing and opening a mystery box. The distribution of rewards is as follows:

• 75% chance to receive "Coal" (worth 0 ether)

• 20% chance to receive "Bronze Coin" (worth 0.1 ether)

• 4% chance to receive "Silver Coin" (worth 0.5 ether)

• 1% chance to receive "Gold Coin" (worth 1 ether)

In this setup, 75% of users will receive a reward of no value (Coal) despite having paid 0.1 ether to open a mystery box. This creates a high likelihood that users will feel dissatisfied and that the protocol is unfairly exploiting them for profit, which will discourage participation and damage the reputation of the platform

Impact

User Dissatisfaction: A large number of users (75%) are likely to feel that they have been misled or cheated when they receive a worthless reward (Coal) after paying 0.1 ether to open a box.

• Protocol Longevity: This flawed economic model discourages users from continuing to participate in the protocol, leading to long-term damage to the protocol's reputation and potential collapse of user engagement.

• Trust Issues: The disproportionate rewards distribution benefits the contract owner at the expense of users, which could be perceived as exploitative and lead to loss of trust in the platform.

Tools Used

manual review

Recommendations
Adjust Reward Probabilities:

• Lower the probability of receiving Coal (e.g., to 50%) and distribute the remaining probabilities among other rewards.

• Introduce Additional Reward Tiers:

  • Replace the 75% Coal reward with additional low-value rewards (e.g., "Copper Coin" worth 0.05 ether), providing users with at least some tangible return on their investment.

• Implement a Fair Pricing Model:

  • The price of a mystery box should reflect the likelihood of receiving a valuable reward, or introduce a dynamic pricing mechanism that adjusts the box price based on reward probabilities.

• Guarantee System:

  • Implement a system where users are guaranteed at least one valuable reward after opening a certain number of boxes, mitigating frustration and promoting continued engagement.