Upgraded Q -> 3 from #154 [1675567996775] #684
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
duplicate-605
satisfactory
satisfies C4 submission criteria; eligible for awards
Judge has assessed an item in Issue #154 as 3 risk. The relevant finding follows:
Erc20Quest.withdrawFee() can be called against a quest more than once
function withdrawFee() public onlyAdminWithdrawAfterEnd {
IERC20(rewardToken).safeTransfer(protocolFeeRecipient, protocolFee());
}
The withdrawFee() function does not update the state of the Quest in such a way as to track claims against a set of currently-redeemed receipts. As such, even if no new users call claim(), protocol fees can be withdrawn more than once.
In the event of future decentralization of the protocol, unscrupulous projects could use this to reclaim tokens and deny valid receipts.
This multiple-claim issue factors into the Medium finding concerning denial of valid receipts due to griefing by 3rd parties.
The text was updated successfully, but these errors were encountered: