Admin can drain ERC20Quest by calling withdrawFee multiple times #308
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-605
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L102-L104
Vulnerability details
Impact
Admin can drain all token in ERC20Quest by calling withdrawFee multiple times and receive more token than it is entitled to.
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L102-L104
Proof of Concept
The test will fail because the quest contract have less than expected balance (since fee is drawn twice)
Recommended Mitigation Steps
Only allow the admin to call withdrawFee once.
The text was updated successfully, but these errors were encountered: