withdrawFee should only be allowed to called once. #547
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-605
satisfactory
satisfies C4 submission criteria; eligible for awards
upgraded by judge
Original issue severity upgraded from QA/Gas by judge
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L102
Vulnerability details
Impact
In the current implementation, the function
withdrawFee
can be called multiple times. It should only be allowed to called once. Calling more than once would let owner steal from legit users as there won’t be enough funds left for legit users to claim tokens if owner calls this multiple times.POC
Recommendation
Let the function only be called once.
The text was updated successfully, but these errors were encountered: