Upgraded Q -> 3 from #154 [1675567996775] #684
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
duplicate-605
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
|
kirk-baird marked the issue as duplicate of #23 |
c4-judge
added
the
satisfactory
|
kirk-baird marked the issue as satisfactory |
c4-judge
added
duplicate-587
duplicate-377
duplicate-605
and removed
duplicate-23
duplicate-587
duplicate-377
labels
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Judge has assessed an item in Issue #154 as 3 risk. The relevant finding follows:
Erc20Quest.withdrawFee() can be called against a quest more than once
function withdrawFee() public onlyAdminWithdrawAfterEnd {
IERC20(rewardToken).safeTransfer(protocolFeeRecipient, protocolFee());
}
The withdrawFee() function does not update the state of the Quest in such a way as to track claims against a set of currently-redeemed receipts. As such, even if no new users call claim(), protocol fees can be withdrawn more than once.
In the event of future decentralization of the protocol, unscrupulous projects could use this to reclaim tokens and deny valid receipts.
This multiple-claim issue factors into the Medium finding concerning denial of valid receipts due to griefing by 3rd parties.
The text was updated successfully, but these errors were encountered: