[H-01] Any user can drain rewardToken contract #111
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-608
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L58-L61
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L96-L118
Vulnerability details
Impact
onlyMinter
modifier inRabbitHoleReceipt.sol
is implemented incorrectly. According to protocol's logic a user can callmintReceipt
function to mint one token for every quest. Any user can mint unlimited amount of tokens inRabbitHoleReceipt.sol
contract and therefore drain whole balance of Reward contract which address is held inrewardToken
state variable inQuest.sol
contract.Attack scenario
createQuest
function fromQuestFactory.sol
to create a newErc20Quest
contract.start
function fromErc20Quest.sol
to start the quest. This function checks if Reward contract has enough balance, according to passed paramaters increateQuest
function.mint
function fromRabbitHoleReceipt.sol
contract unlimited times** with sameaddress
andquestId
.** He should be careful to not run out of gas, because
claim
function fromQuest.sol
contract loops over the tokens. This can be easily bypassed with different addresses controlled by the same person.claim
function fromQuest.sol
to get the rewards. He can calculate the gas amount limit for looping over the tokens and therefore drain whole initial supply from ERC20 Reward contract with one/many account/s.Proof of Concept
Add a new test case in
test/Erc20Quest.spec.ts
file.Tools Used
Hardhat
Recommended Mitigation Steps
Require function should be added to correctly check the minter's address.
The text was updated successfully, but these errors were encountered: