RabbitHole receipts can be minted after the quest has ended #525
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-601
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L219-L229
Vulnerability details
Impact
The
function mintReceipt
has no check that block.timestamp < quest endTime. So, it is possible to mint receipts after the quest has ended which can lead to loss of assets. If the owner of the quest contract withdraws the remaining tokens immediately after the end of the quest, assets can be lost by users, who did not claim rewards, or the protocol.Proof of Concept
Several scenarios are possible:
User mints Receipt and can not claim rewards because there are no tokens left on quest contract balance.
User mints Receipt and claim rewards but one of the users who has not yet claimed a reward will not be able to receive a reward because there are not enough tokens.
User mints Receipt and claim rewards but protocol will not be able to receive fees because there are not enough tokens.
Tools Used
Manual review.
Recommended Mitigation Steps
Restrict the ability to
mintReceipt
when block.timestamp > quest.endTime.The text was updated successfully, but these errors were encountered: