New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Protocol fees can be withdrawn multiple times in Erc20Quest
#605
Comments
kirk-baird marked the issue as duplicate of #23 |
kirk-baird marked the issue as satisfactory |
kirk-baird marked the issue as selected for report |
kirk-baird marked the issue as primary issue |
waynehoover marked the issue as disagree with severity |
While I agree that this is an issue, but not a high risk issue. I expect high risk issues to be issues that can be called by anyone, not owners. As owners there are plenty of ways we can sabotage our contracts (for example via the set* functions) it is up to the owner to be sure they are executing the function correctly and in the correct context. The owner understands how this function works, so they can be sure not to call it multiple times. |
|
I agree with @gzeoneth This issue is a combination of two sub issues
Allowing it to be called by anyone is sufficient to rate it high severity. |
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L102-L104
Vulnerability details
The
withdrawFee
function present in theErc20Quest
contract can be used to withdraw protocol fees after a quest has ended, which are sent to the protocol fee recipient address:https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L102-L104
This function doesn't provide any kind of protection and can be called multiple times, which will send more tokens than intended to the protocol fee recipient, stealing funds from the contract.
Impact
The
withdrawFee
function can be called multiples after a quest has ended, potentially stealing funds from other people. The contract may have funds from unclaimed receipts (i.e. users that have completed the quest, redeemed their receipt but haven't claimed their rewards yet) and remaining tokens from participants who didn't complete the quest, which can be claimed back by the owner of the quest.Note also that the
onlyAdminWithdrawAfterEnd
modifier, even though it indicates that an "admin" should be allowed to call this function, only validates the quest end time and fails to provide any kind of access control:https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L76-L79
This means that anyone could call this function, so even if the quest owner or the protocol fee recipient behave correctly, a griefer could potentially call this function right after the quest end time to remove all (or most) of the funds from the contract.
PoC
In the following demonstration, the
withdrawFee
function is called multiple times by a bad actor to remove all tokens from the quest contract.Recommendation
Add a flag to the contract to indicate if protocol fees have been already withdrawn. Add a check to prevent the function from being called again.
The text was updated successfully, but these errors were encountered: