Anyone can mint receipts, onlyMinter modifier missing require(), therefore it's basically useless. #97
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-608
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
code423n4
added
3 (High Risk)
|
kirk-baird marked the issue as duplicate of #9 |
|
kirk-baird marked the issue as satisfactory |
c4-judge
added
the
satisfactory
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L58
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L47
Vulnerability details
Impact
Everyone and anyone can mint a receipt even though they are not an approved minterAddress.
Proof of Concept
In the docs is stated that : "We would like to call out extra attention to QuestFactory.mintReceipt (users should only be able to claim one receipt)".
Therefore it uses the RabbitHoleReceipt.mint, which is the function that uses the onlyMinter modifier since the onlyMinter modifier doesn't work accordingly anyone can choose to use different addresses to mint himself receipts and doing whatever he wants with them after that (sell them on secondary market or claim them).
Tools Used
Manual Audit, VS Code
Recommended Mitigation Steps
add require() statement in the modifier to ensure the msg.sender == minterAddress
The text was updated successfully, but these errors were encountered: