In ERC20Quest withdrawFee can be called multiple times by anyone #501
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-605
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L102
Vulnerability details
Impact
The
withdrawFee
function in Erc20Quest is used to transfer theprotocolFee
toprotocolFeeRecipient
. This function has access control issues. The modifieronlyAdminWithdrawAfterEnd
only checks if the function is called before endTime or not and reverts if it is.This function is missing the
onlyOwner
modifier.Due to this issue, it can be called multiple times by anyone to transfer funds to the
protocolFeeRecipient
, and the legitimate users would not be able to claim their tokens as there won’t be sufficient funds in the contract anymore.Even if the
protocolFeeRecipient
transfer funds back to this contract, a malicious user with an objective to not let users claim their tokens, can front-run theirclaim
call to transfer funds back to theprotocolFeeRecipient
and get their transactions reverted.POC
Recommendation Mitigation
Just add
onlyOwner
modifier.The text was updated successfully, but these errors were encountered: