Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A SITUATION IS POSSIBLE WHERE PROTOCOL DOESN'T GET ANY PROTOCOL FEES FOR MINTING RECEIPT #353

Closed
code423n4 opened this issue Jan 29, 2023 · 3 comments
Closed

A SITUATION IS POSSIBLE WHERE PROTOCOL DOESN'T GET ANY PROTOCOL FEES FOR MINTING RECEIPT #353

code423n4 opened this issue Jan 29, 2023 · 3 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-601 satisfactory satisfies C4 submission criteria; eligible for awards

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L81-L87
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L219-L230

Vulnerability details

Impact

Protocol might not get any Fees for Mints done after End Time for a Quest whose hashes has been Issued in between start and End time.

Proof of Concept

File: QuestFactory.sol

    function mintReceipt(string memory questId_, bytes32 hash_, bytes memory signature_) public {
        if (quests[questId_].numberMinted + 1 > quests[questId_].totalParticipants) revert OverMaxAllowedToMint();
        if (quests[questId_].addressMinted[msg.sender] == true) revert AddressAlreadyMinted();
        if (keccak256(abi.encodePacked(msg.sender, questId_)) != hash_) revert InvalidHash();
        if (recoverSigner(hash_, signature_) != claimSignerAddress) revert AddressNotSigned();

        quests[questId_].addressMinted[msg.sender] = true;
        quests[questId_].numberMinted++;
        emit ReceiptMinted(msg.sender, questId_);
        rabbitholeReceiptContract.mint(msg.sender, questId_);
    }

Link to Code

As there are no checks on quest lifecycle, User can mint the Receipt at any time of their convenience. As number of hashes issued are tracked off chain, getting the Hash confirms its Eligibility to mint the Receipt.

So Consider the Following Situation:

  1. User got the hash issued.
  2. Once the End time is gone, Quest Owner withdraws all the Remaining Tokens. It also includes the Protocol fees of no. of users who didn't minted the Receipt.
  3. Now few User whose hashes got issued earlier mints the token. They will successfully mint the token as max limit would not have reached.
  4. But in this Case, Protocol losses on Protocol Fees which are already withdrawn by Quest owner.

Tools Used

Manual Review

Recommended Mitigation Steps

2 Ways to Mitigate the Issue depending on which functionality you consider more important:

  1. Add an extra field in Quest Structure to track the End Time for the Quest and add a require condition in mintReceipt method such that no one is allowed to mint the Token after endTime.
  2. Don't allow Owner to withdraw any amount from the Protocol Fees. Use maxProtocolReward instead of protocolFee to cover the Fees for Future mints.
File: Erc20Quest.sol

85:     uint256 nonClaimableTokens = IERC20(rewardToken).balanceOf(address(this)) - protocolFee() - unclaimedTokens;

Link to Code
@code423n4 code423n4 added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Jan 29, 2023
code423n4 added a commit that referenced this issue Jan 29, 2023
@code423n4
Breeje issue #353
1f48ad1
@c4-judge c4-judge closed this as completed Feb 5, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Feb 5, 2023

kirk-baird marked the issue as duplicate of #22

@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value downgraded by judge Judge downgraded the risk level of this issue and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Feb 14, 2023
@c4-judge
Copy link
Contributor

kirk-baird changed the severity to 2 (Med Risk)

@c4-judge
Copy link
Contributor

kirk-baird marked the issue as satisfactory

@c4-judge c4-judge added satisfactory satisfies C4 submission criteria; eligible for awards duplicate-601 and removed duplicate-22 labels Feb 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-601 satisfactory satisfies C4 submission criteria; eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@code423n4 @c4-judge