Participant's rewards funds may be trapped via RabbitHoleReceipt.sol::getOwnedTokenIdsOfQuest() function #150
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-552
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L99
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L109
Vulnerability details
Impact
The RabbitHole participant can have many receipts from all the quest he has participated. The RabbitHoleReceipt.sol::getOwnedTokenIdsOfQuest() function helps to get the receipts which are owned by the user per questId.
If the participant accumulate a lot of RabbitHoleReceipts the for statement which iterates through all receipts from the participant can run out of gas.
The Quest.sol::claim() function will be reverted for users who have many receipts causing the rewards may be trapped for the participants and the quest creator because the ERC20Quest.sol::withdrawRemainingTokens() is only able to withdraw the non claimable tokens.
Proof of Concept
The
RabbitHoleReceipt.sol::getOwnedTokenIdsOfQuest()
function calculates the user balance in the line 113. Then the user balance is used in the for statement in the line 117.The participant balance could be a large amount of receipts because the user can participate in many quests then the
for
statement could be reverted by insufficient gas.I created a basic test where you can see the receipt is not burned after the rewards claim, then the participant is accumulating many receipts:
Tools used
VSCode
Recommended Mitigation Steps
If the rewards was claimed then burn the participant receipt.
The text was updated successfully, but these errors were encountered: