Bad implementation in minter access control for RabbitHoleReceipt
and RabbitHoleTickets
contracts
#608
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
H-01
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor confirmed
Sponsor agrees this is a problem and intends to fix it (OK to use w/ "disagree with severity")
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L58-L61
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L47-L50
Vulnerability details
Both
RabbitHoleReceipt
andRabbitHoleTickets
contracts define amint
function that is protected by aonlyMinter
modifier:RabbitHoleReceipt:
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L98-L104
RabbitHoleTickets:
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L83-L85
However, in both cases the modifier implementation is flawed as there isn't any check for a require or revert, the comparison will silently return false and let the execution continue:
Impact
Any account can mint any number of
RabbitHoleReceipt
andRabbitHoleTickets
tokens.This represents a critical issue as receipts can be used to claim rewards in quests. An attacker can freely mint receipt tokens for any quest to steal all the rewards from it.
PoC
The following test demonstrates the issue.
Recommendation
The modifier should require that the caller is the
minterAddress
in order to revert the call in case this condition doesn't hold.The text was updated successfully, but these errors were encountered: