RabbitHole receipts can be minted after the quest has ended

[code423n4]

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L219-L229

Vulnerability details

Impact

The function mintReceipt has no check that block.timestamp < quest endTime. So, it is possible to mint receipts after the quest has ended which can lead to loss of assets. If the owner of the quest contract withdraws the remaining tokens immediately after the end of the quest, assets can be lost by users, who did not claim rewards, or the protocol.

Proof of Concept

Several scenarios are possible:

1. The quest has ended (but quest.numberMinted < quest.totalParticipants), all users claimed rewards (unclaimedTokens = 0), protocol withdrawn fees, owner withdrawn remaining tokens. Contract balance = 0.
   User mints Receipt and can not claim rewards because there are no tokens left on quest contract balance.
2. The quest has ended (but quest.numberMinted < quest.totalParticipants), not all users claimed rewards, protocol withdrawn fees, owner withdrawn remaining tokens.
   User mints Receipt and claim rewards but one of the users who has not yet claimed a reward will not be able to receive a reward because there are not enough tokens.
3. The quest has ended (but quest.numberMinted < quest.totalParticipants), all users claimed rewards (unclaimedTokens = 0), protocol did not withdraw fees, owner withdrawn remaining tokens.
   User mints Receipt and claim rewards but protocol will not be able to receive fees because there are not enough tokens.

Tools Used

Manual review.

Recommended Mitigation Steps

Restrict the ability to mintReceipt when block.timestamp > quest.endTime.

[c4-judge]

kirk-baird marked the issue as duplicate of #22

[c4-judge]

kirk-baird changed the severity to 2 (Med Risk)

[c4-judge]

kirk-baird marked the issue as satisfactory