Mystery Box

Summary

The contract has no mechanism to ensure that newly added rewards are reflected in future reward allocations when users open mystery boxes. As a result, users may not have a chance to receive any new rewards added after their interaction begins.

Vulnerability Details

When new rewards are added to the rewardPool via the addReward function, the current logic for the openBox function uses a hardcoded probability system that does not account for changes in the rewardPool. The randomization logic and reward allocation seem to be fixed, so users opening boxes are not given an updated chance to win any newly added rewards. This could lead to a scenario where users, even after the addition of new rewards, are still only winning old rewards, making the newly added rewards effectively inaccessible to existing users.

Impact

Users might expect new rewards after interacting with the contract, but the static logic prevents them from obtaining any of these newly added rewards.

Additionally, the contract owner would need to redeploy or modify the contract frequently to ensure new rewards are fairly reflected, increasing operational overhead

While this does not directly affect the security of the contract, it significantly impacts the fairness of reward distribution. Users may feel misled if new rewards are added but they are unable to win them, leading to a potential loss of trust in the platform.

Tools Used

Manual Review

Recommendations

Implement dynamic reward allocation logic that adjusts based on the current state of the rewardPool.

Ensure that when new rewards are added, they are incorporated into the randomization logic used in the openBox function.