Protocol fee can be withdrawn multiple times #250
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-605
edited-by-warden
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L102
Vulnerability details
Impact
After a quest finishes, there will be some tokens left over. Beside the protocolFee, some of these tokens belong to the quest owner, and some of them belong to participants who have not claimed their reward.
However, withdrawFee() can be called multiple times, and protocolFee() does not decrease. So, anyone can call the withdrawFee function multiple times to drain all the tokens from the Erc20Quest contract to the protocolFeeRecipient.
Proof of Concept
Add the following test to Erc20Quest.spec.ts. It successfully calls withdrawFee twice, getting twice the protocolFee it's supposed to.
Tools Used
VSCode, hardhat
Recommended Mitigation Steps
Maintain a counter initialized to 0 (say protocolFeeCount). Set it to receiptRedeemers() at the end of withdrawFee().
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L97
Then, in protocolFee(), this line should be changed to
return ((receiptRedeemers() - protocolFeeCount)* rewardAmountInWeiOrTokenId * questFee) / 10_000;
The text was updated successfully, but these errors were encountered: