Possible to steal funds from another chains #440
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-107
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L215-L229
Vulnerability details
Impact
Current implementation of token vesting not resistant to:
Proof of Concept
The same thing can happen if you deploy factory to the same network but to a new address, because your signature does not depend on the factory address.
Tools Used
Manual audit
Recommended Mitigation Steps
Use spec: https://eips.ethereum.org/EIPS/eip-712
See how it's implemented in Uniswap V2:
https://github.com/Uniswap/v2-core/blob/master/contracts/UniswapV2ERC20.sol
https://github.com/Uniswap/v2-core/blob/master/contracts/UniswapV2ERC20.sol#L29-L37
https://github.com/Uniswap/v2-core/blob/master/contracts/UniswapV2ERC20.sol#L81-L93
Do the same.
The text was updated successfully, but these errors were encountered: