withdrawRemainingTokens
fails to consider unclaimed receipts in Erc1155Quest
#606
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-528
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc1155Quest.sol#L54-L63
Vulnerability details
The
withdrawRemainingTokens
implementation present in theErc1155Quest
allows the owner of the quest to claim back remaining tokens after the quest end time:https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc1155Quest.sol#L54-L63
The function will transfer all of the rewards tokens present in the contract and does not consider potential receipts that are still pending to be claimed.
Impact
After the owner of the quest calls
withdrawRemainingTokens
, all unclaimed receipts will be rendered worthless, since the quest contract doesn't have any tokens to be handed as rewards.If a user with an unclaimed receipt tries to call
claim()
to redeem their reward, the invocation will be reverted as the contract doesn't have the required tokens, which were previously withdrawn by the owner.PoC
In the following test, Alice tries to claim her rewards after the owner has called
withdrawRemainingTokens
, which will fail due to insufficient funds in the contract.Recommendation
Similar to the implementation of
Erc20Quest
, the contract can query the factory to know how many receipts are still pending to be claimed and withhold those funds in the contract for the users to claim.The text was updated successfully, but these errors were encountered: