A SITUATION IS POSSIBLE WHERE PROTOCOL DOESN'T GET ANY PROTOCOL FEES FOR MINTING RECEIPT #353
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-601
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L81-L87
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L219-L230
Vulnerability details
Impact
Protocol might not get any Fees for Mints done after End Time for a Quest whose hashes has been Issued in between start and End time.
Proof of Concept
Link to Code
As there are no checks on quest lifecycle, User can mint the Receipt at any time of their convenience. As number of hashes issued are tracked off chain, getting the Hash confirms its Eligibility to mint the Receipt.
So Consider the Following Situation:
Tools Used
Manual Review
Recommended Mitigation Steps
2 Ways to Mitigate the Issue depending on which functionality you consider more important:
mintReceipt
method such that no one is allowed to mint the Token afterendTime
.maxProtocolReward
instead ofprotocolFee
to cover the Fees for Future mints.Link to Code
The text was updated successfully, but these errors were encountered: