Broken modifier implementation allows anyone to call mint*
functions
#152
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-608
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L58-L61
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L47-L50
Vulnerability details
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L58-L61
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L47-L50
Description
A mis-implementation of a modifier allows anyone to call the
mint*
functions of theRabbitHoleReceipt
andRabbitHoleTickets
contracts.In the case of
RabbitHoleReceipt.mint()
, this allows an attacker to create valid Receipts for a Quest via its id, and then redeem the receipts for rewards viaErc20Quest.claim()
andErc1155Quest.claim()
, draining all rewards to themselves.In the case of
RabbitHoleTickets
, whatever benefit/value is applied to that token would be freely available to the minter.PoC
Modify the existing
RabbitHoleReceipt.spec.ts
test 'mint' like so:The test will fail:
Mitigation
Fix the modifier as follows:
Note that this breaks other tests in the suite because of the use of
owner.address
instead of the QuestFactory contract in the initializer used to deploy theRabbitHoleReceipt
.Tools used
Provided test suite, manual review
The text was updated successfully, but these errors were encountered: