All tokens in Erc1155Quest should not be withdrawn before users claim #579
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-528
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc1155Quest.sol#L54
Vulnerability details
Impact
There are 2 type of Quest, Erc20Quest and Erc1155Quest. Both contracts have common property that they should hold enough reward token for
totalParticipants
. However, if number of receipt minted is less thantotalParticipants
, owner is allowed to withdraw remaining token to an address he specified. This check is implemented correctly inErc20Quest
where owner can only withdrawnonClaimableTokens
.However, it did not have the same check in
Erc1155Quest
.As the result, all tokens in Erc1155Quest can be withdraw before any user claim their receipts.
Proof of Concept
Please add this test to
Erc1155Quest.spec.ts
Tools Used
Manual Review
Recommended Mitigation Steps
Consider only allowing owner to withdraw non claimable tokens in Erc1155Quest
The text was updated successfully, but these errors were encountered: