Mystery Box
First Flight #25
Beginner FriendlyFoundry
100 EXP
View results
Previous Next
Submission Details
Severity: medium
Invalid

Lack of Zero Address Check In `MysteryBox::transferReward` Leads To Loss Of Users Reward

0xmaxi

Summary

The transferReward function in MysteryBox does not validate the _to parameter, allowing rewards to be transferred to the zero address. Transferring assets to the zero address results in an irreversible loss of those rewards.

Vulnerability Details

No Zero address check in the transferReward function.

function transferReward(address _to, uint256 _index) public {
require(_index < rewardsOwned[msg.sender].length, "Invalid index");
@> rewardsOwned[_to].push(rewardsOwned[msg.sender][_index]); // No check for zero address
delete rewardsOwned[msg.sender][_index];
}

Impact

If a reward is transferred to the zero address, it effectively becomes irretrievable, leading to a potential loss of user assets. This can result in unintended consequences for both users and the contract's business logic, as the zero address cannot be interacted with.

Tools Used

Manual Review

Recommendations

Add a validation check to ensure that the _to address is not the zero address:

function transferReward(address _to, uint256 _index) public {
+ require(_to != address(0), "Cannot transfer to zero address");
require(_index < rewardsOwned[msg.sender].length, "Invalid index");
rewardsOwned[_to].push(rewardsOwned[msg.sender][_index]);
delete rewardsOwned[msg.sender][_index];
}
Updates

Appeal created

inallhonesty Lead Judge 11 months ago
Submission Judgement Published
Invalidated
Reason: Non-acceptable severity

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.