Platform: Code4rena
Start Date: 25/01/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 173
Period: 5 days
Judge: kirk-baird
Total Solo HM: 1
Id: 208
League: ETH
Rank: 50/173
Findings: 4
Award: $48.91
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: adriro
Also found by: 0xRobocop, 0xmrhoodie, 0xngndev, AkshaySrivastav, ArmedGoose, Atarpara, Bauer, CodingNameKiki, ElKu, Garrett, HollaDieWaldfee, IllIllI, Iurii3, KIntern_NA, KmanOfficial, Lotus, M4TZ1P, MiniGlome, Ruhum, SovaSlava, bin2chen, bytes032, carrotsmuggler, cccz, chaduke, codeislight, cryptonue, doublesharp, evan, fs0c, glcanvas, gzeon, hansfriese, hihen, hl_, holme, horsefacts, ladboy233, lukris02, mahdikarimi, manikantanynala97, martin, mert_eren, mrpathfindr, omis, peakbolt, peanuts, prestoncodes, rbserver, rvierdiiev, sashik_eth, timongty, tnevler, trustindistrust, usmannk, wait, yixxas, zadaru13, zaskoh
0.7512 USDC - $0.75
When block.timestamp is greater than endTime anyone can call the function withdrawFee from the ERC20Quest.sol contract.
The problem is that this function can be called multiple times until draining all the funds from the contract, causing people not been able to claim their receipts.
Let's say the quest have the following parameters:
fee == 20% total participants == 2 reward amount == 1000 units
Both participants have minted their receipt, hence receiptRedeemers returns 2.
Before anyone claiming either receipts or fees, the contract must hold at least 2,400 units of tokens. 2000 (participants * rewardamount) + 400 (20% fee).
Let's say participant 1 claim at time t before endTime. Now the contract holds 1,400 units. After endTime someone call withdrawFee making the contract send 400 units of tokens to protocolFeeRecipient. This can be repeated until leaving the contract with 200 units of tokens. After this, participant number 2 wont be able to claim his receipt.
Manual.
withdrawFee should only be called once.
#0 - c4-judge
2023-02-05T05:02:30Z
kirk-baird marked the issue as duplicate of #23
#1 - c4-judge
2023-02-14T08:54:38Z
kirk-baird changed the severity to 3 (High Risk)
#2 - c4-judge
2023-02-14T09:00:08Z
kirk-baird marked the issue as satisfactory
🌟 Selected for report: adriro
Also found by: 0xRobocop, 0xbepresent, Breeje, CodingNameKiki, HollaDieWaldfee, Kenshin, M4TZ1P, Ruhum, Tricko, badman, bin2chen, carrotsmuggler, cccz, csanuragjain, glcanvas, joestakey, lukris02, m9800, mert_eren, peakbolt, peanuts, prestoncodes, rvierdiiev, sashik_eth
21.6061 USDC - $21.61
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L219 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L98 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L81
The purpose of withdrawRemainingTokens is to withdraw all the tokens that wont be claimed by participants, because endTime has passed and some receipts were not minted. Leaving on the contract the exact amount for minted but not claimed receipts and for the protocol fee given the amount of minted receipts.
So the function has an assumption that receipts cannot be minted after endTime but following the control flow, there is no check that ensures this, nor a deadline for the signatures to be valid.
If someone mints a receipt after the owner called withdrawRemainingTokens then the contract wont have enough tokens to pay all the mintedd receipts nor the protocol fee.
Maybe the Front End wont stop giving signatures after endTime but the user can request a signature before endTime, and then cancelling the transaction but copying the valid signature to be used later.
Manual
Make signatures have a deadline to be used or not allow minting after endTime
#0 - c4-judge
2023-02-05T05:03:25Z
kirk-baird marked the issue as duplicate of #42
#1 - c4-judge
2023-02-06T08:22:49Z
kirk-baird marked the issue as not a duplicate
#2 - c4-judge
2023-02-06T08:23:03Z
kirk-baird marked the issue as duplicate of #22
#3 - c4-judge
2023-02-14T08:47:25Z
kirk-baird marked the issue as satisfactory
🌟 Selected for report: carlitox477
Also found by: 0xRobocop, 0xbepresent, ArmedGoose, Atarpara, IllIllI, Tointer, UdarTeam, adriro, betweenETHlines, cryptojedi88, evan, glcanvas, gzeon, horsefacts, ladboy233, libratus, lukris02, luxartvinsec, manikantanynala97, minhquanym, mookimgo, p4st13r4, simon135, thekmj, trustindistrust
9.3488 USDC - $9.35
Judge has assessed an item in Issue #251 as 2 risk. The relevant finding follows:
[L-03] The claim function might use an amount of gas greater than the block gas limit. Description:
The claim function at the Quest.sol contract can consume an amount of gas greater than the block gas limit if the user has too many receipts.
Mitigation:
Make users know they might need to split their receipts accross other wallets in this case.
#0 - c4-judge
2023-02-05T05:06:53Z
kirk-baird marked the issue as duplicate of #135
#1 - c4-judge
2023-02-05T05:07:08Z
kirk-baird marked the issue as partial-50
🌟 Selected for report: CodingNameKiki
Also found by: 0x1f8b, 0x4non, 0x5rings, 0xAgro, 0xMirce, 0xRobocop, 0xSmartContract, 0xackermann, AkshaySrivastav, ArmedGoose, Aymen0909, BClabs, Breeje, Dewaxindo, Diana, HollaDieWaldfee, IceBear, IllIllI, Iurii3, Josiah, Krayt, PaludoX0, Phenomana, PrasadLak, RaymondFam, Rolezn, SaeedAlipoor01988, SaharDevep, SleepingBugs, adriro, arialblack14, bin2chen, brevis, btk, carlitox477, carrotsmuggler, catellatech, chaduke, chrisdior4, cryptonue, cryptostellar5, csanuragjain, ddimitrov22, fellows, glcanvas, halden, hl_, horsefacts, jat, joestakey, kenta, libratus, lukris02, luxartvinsec, manikantanynala97, martin, matrix_0wl, nadin, nicobevi, oberon, peanuts, prestoncodes, rbserver, sakshamguruji, sashik_eth, sayan, seeu, thekmj, tnevler, trustindistrust, tsvetanovv, xAriextz, zadaru13, zaskoh
17.196 USDC - $17.20
Ownable2StepUpgradeable and Ownable2Step instead of OwnableUpgradeable and Ownable.Description:
Using a 1-step transfer of ownership is dangerous. If an incorrect address is passed as the new owner, there is no coming back.
Better use the 2-step pattern from OZ. Ownable2Step.sol and Ownable2StepUpgradeable.sol.
Found at :
Quest.sol QuestFactory.sol RabbitHoleReceipt.sol
Description:
When using _safeMint() of the ERC721 OZ implementation there is a call to the address of the _to paramenter to make sure the account can receive an ERC-721 token. This can be used to re-enter the contract causing unexpected behaviors.
This can happen also when using erc-777 tokens instead of erc-20 tokens.
Use a mutex like the OZ nonReentrant
Found at:
Description:
The claim function at the Quest.sol contract can consume an amount of gas greater than the block gas limit if the user has too many receipts.
Mitigation:
Make users know they might need to split their receipts accross other wallets in this case.
For a better usability of off-chain message signing for use on-chain use the EIP-712 standard.
There is a non-zero risk of making a mistake of setting protocolFeeReceipt address to an account not been able to manage ERC-20 tokens. Effectively losing all the tokens send to it through the protocol fee.
#0 - c4-judge
2023-02-05T05:07:33Z
kirk-baird marked the issue as grade-b
#1 - c4-sponsor
2023-02-08T04:10:45Z
jonathandiep marked the issue as sponsor acknowledged