Broken modifier implementation allows anyone to call `mint*` functions #152

code423n4 · 2023-01-27T19:47:13Z

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L58-L61
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L47-L50

Vulnerability details

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L58-L61

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L47-L50

Description

A mis-implementation of a modifier allows anyone to call the mint* functions of the RabbitHoleReceipt and RabbitHoleTickets contracts.

In the case of RabbitHoleReceipt.mint(), this allows an attacker to create valid Receipts for a Quest via its id, and then redeem the receipts for rewards via Erc20Quest.claim() and Erc1155Quest.claim(), draining all rewards to themselves.

In the case of RabbitHoleTickets, whatever benefit/value is applied to that token would be freely available to the minter.

PoC

Modify the existing RabbitHoleReceipt.spec.ts test 'mint' like so:

describe('mint', () => {
  it('mints a token with correct questId', async () => {
    await RHReceipt.connect(minterAddress).mint(firstAddress.address, 'def456')

    expect(await RHReceipt.balanceOf(firstAddress.address)).to.eq(1)
    expect(await RHReceipt.questIdForTokenId(1)).to.eq('def456')

    // connect to the Receipt with non-privileged user, call mint
    await RHReceipt.connect(firstAddress).mint(firstAddress.address, 'def456')
    // since there's no revert, we want their token balance to remain 1
    expect(await RHReceipt.balanceOf(firstAddress.address)).to.eq(1)
  })
})

The test will fail:

mints a token with correct questId:

AssertionError: expected 2 to equal 1. The numerical values of the given "ethers.BigNumber" and "number" inputs were compared, and they differed.
  + expected - actual

  -2
  +1

Mitigation

Fix the modifier as follows:

modifier onlyMinter() {
    require(msg.sender == minterAddress);
    _;
}

Note that this breaks other tests in the suite because of the use of owner.address instead of the QuestFactory contract in the initializer used to deploy the RabbitHoleReceipt.

Tools used

Provided test suite, manual review

The text was updated successfully, but these errors were encountered:

c4-judge · 2023-02-05T03:32:03Z

kirk-baird marked the issue as duplicate of #9

c4-judge · 2023-02-14T08:39:25Z

kirk-baird marked the issue as satisfactory

code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jan 27, 2023

code423n4 added a commit that referenced this issue Jan 27, 2023

trustindistrust issue #152

acaa7ab

c4-judge closed this as completed Feb 5, 2023

c4-judge added the duplicate-9 label Feb 5, 2023

c4-judge added satisfactory satisfies C4 submission criteria; eligible for awards duplicate-608 and removed duplicate-9 labels Feb 14, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Broken modifier implementation allows anyone to call `mint*` functions #152

Broken modifier implementation allows anyone to call `mint*` functions #152

code423n4 commented Jan 27, 2023

c4-judge commented Feb 5, 2023

c4-judge commented Feb 14, 2023

Broken modifier implementation allows anyone to call mint* functions #152

Broken modifier implementation allows anyone to call mint* functions #152

Comments

code423n4 commented Jan 27, 2023

Lines of code

Vulnerability details

Description

PoC

Mitigation

Tools used

c4-judge commented Feb 5, 2023

c4-judge commented Feb 14, 2023

Broken modifier implementation allows anyone to call `mint*` functions #152

Broken modifier implementation allows anyone to call `mint*` functions #152