CodeHawks
Competitive Audits
First Flights
Judging
Leaderboard
Docs
Toggle theme
Connect Wallet
All First Flights
Mystery Box
Submissions
Mystery Box
First Flight #25
Mystery Box
First Flight #25
Beginner Friendly
Foundry
100
EXP
First Flights
100
EXP
Sep 26th, 2024 → Oct 3rd, 2024
View repo
654 / 654
Submissions
Severity
Tags
#1
Anyone can change the Owner in this contract
High
#2
Weak Randomness in MysteryBox.sol:openBox function
High
#3
Reentrancy Possibility in MysteryBox.sol:openBox function
High
#4
Users can predict their reward before opening a box because `randomValue` is a predictable pseudo-random value
High
#5
Missing access control for the `changeOwner` function making possible for anyone to change the `MysteryBox` contract ownership
High
#6
Critical security flaws that can lead to unauthorized ownership transfers, causing potential financial and access risks to the contract.
High
#7
Anybody can become owner
High
#8
User can predict the rarity and reward of box
High
#9
`claimAllRewards` and `claimSingleReward` functions are vulnerable to Reentrancy Attack
High
#10
Inconsistent Reward Allocation Between Constructor and openBox Function
Medium
#11
[H-1] Missing Access Control Checks on `MysteryBox::changeOwner`
High
#12
Incorrect Index Bound Check in claimSingleReward() Leading to Out-of-Bounds Vulnerability
Medium
#13
Randomness is predictable
Medium
#14
Incorrect Reward Distribution
High
#15
[H-2] Use of Magic Numbers Leads to Wrong Reward Distribution in `MysteryBox::openBox`
High
#16
Anyone can be owner to steal all funds.
High
#17
Re-entrancy in the claimSingleReward() function
High
#18
Reentrancy in the claimAllRewards() function
High
#19
Reentrancy attack in claimAllRewards(), claimSingleReward()
High
#20
Self-transfer and wrong array manipulation in transferReward()
Medium
#21
Reward distribution issue in addReward() and openBox()
High
#22
Change Owner Changes the Ownership of the Contract
High
#23
No access control in the changeOwner function
High
#24
Broken Access Control in MysteryBox.sol:changeOwner
High
#25
claimAllRewards() does not follow CEI, thus suffer of reentrancy issue
High
#26
claimSingleReward() does not follow CEI, thus suffer of reentrancy issue
High
#27
changeOwner() can be called by anyone
High
#28
changeOwner() does not check if address provided is zero address
Low
#29
No restriction of changeOwner function
High
#30
[M-1] Weak Randomness in `MysteryBox::openBox`
Medium
Previous
1
2
3
...
More pages
22
Next
Support
FAQs
Can’t find an answer? Join our Discord or follow us on Twitter.
What is Cyfrin CodeHawks?
What is a competitive audit?
How can I host a competition on CodeHawks?
How is a contest prize pool determined?
What is community judging?
How do I get rewarded?
What is a First Flight?
Give us feedback!