Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Malicious user can front run the selling of his NFT receipt with a claim() function call and stealing funds from another user #201

Closed
code423n4 opened this issue Jan 28, 2023 · 5 comments
Closed

Malicious user can front run the selling of his NFT receipt with a claim() function call and stealing funds from another user #201

code423n4 opened this issue Jan 28, 2023 · 5 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate-119 satisfactory satisfies C4 submission criteria; eligible for awards

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L96-L118

Vulnerability details

Impact

Once the user has received an ERC-721 RabbitHole Receipt token, he has two options - either to call the claim() function and get the reward tokens, or sell it to another user who is interested. Here, a malicious user can cheat the system and do both. He does this by selling his receipt nft first and in the same block, front running the sell transaction with a call to claim() function.

Proof of Concept

The attack path works like this:

  1. User completes an on-chain task and mints himself an ERC-721 RabbitHole Receipt token.
  2. He creates a sell order for the same.
  3. Another user checks that the receipt is not claimed yet and initiates the buy transaction.
  4. Noticing the buy transaction in the mempool, the original malicious user calls the claim() function with a high gas fee (and front runs) and claims his reward tokens.
  5. Right after, the buy transaction also goes through in the same block and the user was able to sell his already claimed(and hence useless) receipt.

Note that this works only when the buyer of the NFT manually checks if the receipt was not claimed and then initiates the buy transaction. If he uses a contract which does the check and buy in a single transaction, this attack path wont work.

Tools Used

VS code, Manual analysis

Recommended Mitigation Steps

The claim() function doesn't ask the user to send his receipt NFT to the contract before sending the reward tokens. It only checks if the user currently owns it and its not been claimed yet.

I suggest the claim() function should receive the NFT receipt before sending the reward tokens to avoid this kind of attack.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jan 28, 2023
code423n4 added a commit that referenced this issue Jan 28, 2023
@code423n4
ElKu issue #201
86d89e6
@c4-judge c4-judge added the primary issue Highest quality submission among a set of duplicates label Feb 5, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Feb 5, 2023

kirk-baird marked the issue as primary issue

This was referenced Feb 5, 2023
Closed
Closed
Closed
Closed
Closed
Open
Closed
Closed
@c4-sponsor c4-sponsor added the disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) label Feb 7, 2023
@c4-sponsor
Copy link

waynehoover marked the issue as disagree with severity

@waynehoover
Copy link

This is an issue with whatever FE is displaying code from our smart contract, not an issue in the SC itself.

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Feb 14, 2023
@c4-judge
Copy link
Contributor

kirk-baird marked the issue as satisfactory

@c4-judge c4-judge removed the primary issue Highest quality submission among a set of duplicates label Feb 14, 2023
@c4-judge
Copy link
Contributor

kirk-baird marked issue #119 as primary and marked this issue as a duplicate of 119

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working disagree with severity Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments) duplicate-119 satisfactory satisfies C4 submission criteria; eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@waynehoover @code423n4 @c4-judge @c4-sponsor