Summary

The MysteryBox contract lacks proper input validation in several critical functions, potentially leading to unexpected behavior or economic imbalances.

Vulnerability Details

The following functions have insufficient input validation:

• setBoxPrice: No check for zero or unreasonably high prices

• addReward: No validation for reward name or value

• buyBox: No limit on the number of boxes that can be purchased at once

Impact

• Potential economic imbalances if prices or rewards are set to extreme values

• Possible system abuse through bulk purchases

• Increased risk of user errors leading to unintended consequences

Tools Used

Manual code review

Recommendations

1. Implement input validation in setBoxPrice:

   • Check for non-zero price

   • Set a reasonable maximum price

2. Add validation in addReward:

   • Ensure reward name is not empty

   • Set minimum and maximum values for rewards

3. Implement purchase limits in buyBox:

   • Set a maximum number of boxes that can be purchased in a single transaction

4. Consider adding a maximum supply of boxes to prevent infinite minting

By implementing these recommendations, the contract will be more robust against potential misuse and unintended behaviors, enhancing overall system integrity and user experience.