Platform: Code4rena
Start Date: 25/01/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 173
Period: 5 days
Judge: kirk-baird
Total Solo HM: 1
Id: 208
League: ETH
Rank: 162/173
Findings: 1
Award: $2.59
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: adriro
Also found by: 0xMAKEOUTHILL, 0xMirce, 7siech, AkshaySrivastav, AlexCzm, Awesome, Aymen0909, Cryptor, Deivitto, DimitarDimitrov, ElKu, Garrett, Jayus, Josiah, Kenshin, KrisApostolov, RaymondFam, SovaSlava, Timenov, UdarTeam, amaechieth, btk, c3phas, codeislight, fellows, frankudoags, gzeon, hansfriese, luxartvinsec, millersplanet, mookimgo, navinavu, oberon, paspe, pavankv, petersspetrov, pfapostol, prestoncodes, rbserver, sakshamguruji, shark, thekmj, trustindistrust, tsvetanovv, usmannk, vagrant, vanko1, xAriextz, yosuke
2.5852 USDC - $2.59
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L58 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L47
Everyone and anyone can mint a receipt even though they are not an approved minterAddress.
In the docs is stated that : "We would like to call out extra attention to QuestFactory.mintReceipt (users should only be able to claim one receipt)". Therefore it uses the RabbitHoleReceipt.mint, which is the function that uses the onlyMinter modifier since the onlyMinter modifier doesn't work accordingly anyone can choose to use different addresses to mint himself receipts and doing whatever he wants with them after that (sell them on secondary market or claim them).
Manual Audit, VS Code
add require() statement in the modifier to ensure the msg.sender == minterAddress
#0 - c4-judge
2023-02-05T02:40:29Z
kirk-baird marked the issue as duplicate of #9
#1 - c4-judge
2023-02-16T07:30:57Z
kirk-baird marked the issue as satisfactory