Malicious user can front run the selling of his NFT receipt with a claim() function call and stealing funds from another user #201
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
duplicate-119
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L96-L118
Vulnerability details
Impact
Once the user has received an ERC-721 RabbitHole Receipt token, he has two options - either to call the claim() function and get the reward tokens, or sell it to another user who is interested. Here, a malicious user can cheat the system and do both. He does this by selling his receipt nft first and in the same block, front running the sell transaction with a call to
claim()
function.Proof of Concept
The attack path works like this:
Note that this works only when the buyer of the NFT
manually
checks if the receipt was not claimed and then initiates the buy transaction. If he uses a contract which does the check and buy in a single transaction, this attack path wont work.Tools Used
VS code, Manual analysis
Recommended Mitigation Steps
The claim() function doesn't ask the user to send his receipt NFT to the contract before sending the reward tokens. It only checks if the user currently owns it and its not been claimed yet.
I suggest the claim() function should receive the NFT receipt before sending the reward tokens to avoid this kind of attack.
The text was updated successfully, but these errors were encountered: