Missing custom error or require statement in onlyMinter
modifier
#165
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-608
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L48
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L59
Vulnerability details
Impact
Without custom error or require statement at modifier
onlyMinter
, anyone couldmint
a receipt in theRabbitHoleReceipt
contract or a ticket in theRabbitHoleTickets
contract.Proof of Concept
For
RabbitHoleReceipt
add a test inRabbitHoleReceipt.spec.ts
For
RabbitHoleTickets
add a test inRabbitHoleTickets.spec.ts
As it is seen from these tests code, it is possible from anyone to call the
mint
operation in theRabbitHoleReceipt
andRabbitHoleTickets
(also, there is an additional exceptexpect(minterAddress.address != firstAddress.address && minterAddress.address != royaltyRecipient.address).to.equal(true)
which shows that addresses that callmint
operation are different than minter address).Tools Used
VSCode, Hardhat, Solidity Visual Developer plugin for VSCode
Recommended Mitigation Steps
Create and add a custom error in the
if
statement for a check ismsg.sender
different thanminterAddress
at lines RabbitHoleTickets.sol#L48 and RabbitHoleReceipt.sol#L59The text was updated successfully, but these errors were encountered: