Anyone can mint existing Quest IDs RHReceipt NFTs and claim ERC1155 and ERC20 quest rewards due to a non-reverting onlyMinter modifier #151
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-608
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L58-L61
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L98-L104
Vulnerability details
Impact
The
onlyMinter
modifier on line58
of theRabbitHoleReceipt
contract is lacking arequire
orrevert
statement to work as intended, allowing anyone to access the functions where the modifier is present, including itsmint()
function, and to mint one or several Quest IDs Receipt(s) to any address which will then be able to claim any Quest IDs rewards without the requirement to complete it.This vulnerability impacts both
Erc20Quest
andErc1155Quest
reward claiming features and could lead to the draining of all the existing quests reward pools by an attacker.Proof of Concept
This vulnerability can be reproduced inside the
Erc1155Quest.specs.ts
test file for anERC1155Quest
:Or inside the
Erc20Quest.specs.ts
test file for anERC20Quest
:Tools Used
Manual review
Recommended Mitigation Steps
Add a
require
or arevert
statement inside theonlyMinter
modifier on line58
of theRabbitHoleReceipt.sol
contract so the transaction can revert in casemsg.sender
is not authorized to mint:The text was updated successfully, but these errors were encountered: