Incorrect access control allows the user to inflate rewards and drain funds. #404
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-608
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L58-L61
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L47-L50
Vulnerability details
Incorrect access control allows the user to inflate rewards and drain funds.
- quest-protocol/contracts/RabbitHoleReceipt.sol:58-61
- quest-protocol/contracts/RabbitHoleTickets.sol:47-50
Description:
Invalid
modifier
allow everyone to call mint function onRabbitHoleReceipt
contract.In
QuestFactory.sol
:215 specified that "/// @dev mint a RabbitHole Receipt. Note: this contract must be set as Minter on the receipt contract".The protocol assumes that only the
QuestFactory
should be able to call themint
function on theRabbitHoleReceipt
contract. But due to a bug in the modifier, everyone can call the 'mint' function. The maximum number of participants is also checked byQuestFactory
, as a result an attacker can steal all the money from the contract, including the fee.Note:
PoC: Set up from
Erc20Quest.spec.ts
, actual PoC starts from line 125Fix:
The text was updated successfully, but these errors were encountered: