User, who is not RabbitHoleReceipt
contract's minter, can mint RabbitHole receipts and claim associated rewards
#449
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-608
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/RabbitHoleReceipt.sol#L98-L104
https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/RabbitHoleReceipt.sol#L58-L61
Vulnerability details
Impact
Anyone can call the following
RabbitHoleReceipt.mint
function to mint one or more RabbitHole receipt without the claim signer's consent because itsRabbitHoleReceipt.onlyMinter
modifier executesmsg.sender == minterAddress
, which does not revert whenmsg.sender
is notminterAddress
. A malicious actor is able to mint as many RabbitHole receipts as she or he wants and claim the associated rewards to drain most or all of the reward token balance owned by the quest contract.https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/RabbitHoleReceipt.sol#L98-L104
https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/RabbitHoleReceipt.sol#L58-L61
Proof of Concept
Please append the following test in the
claim()
describe
block inquest-protocol\test\Erc20Quest.spec.ts
. This test will pass to demonstrate the described scenario.Tools Used
VSCode
Recommended Mitigation Steps
The
RabbitHoleReceipt.onlyMinter
modifier can be updated to revert ifmsg.sender
is notminterAddress
.The text was updated successfully, but these errors were encountered: