Platform: Code4rena
Start Date: 25/01/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 173
Period: 5 days
Judge: kirk-baird
Total Solo HM: 1
Id: 208
League: ETH
Rank: 9/173
Findings: 4
Award: $915.88
π Selected for report: 0
π Solo Findings: 0
π Selected for report: adriro
Also found by: 0xRobocop, 0xmrhoodie, 0xngndev, AkshaySrivastav, ArmedGoose, Atarpara, Bauer, CodingNameKiki, ElKu, Garrett, HollaDieWaldfee, IllIllI, Iurii3, KIntern_NA, KmanOfficial, Lotus, M4TZ1P, MiniGlome, Ruhum, SovaSlava, bin2chen, bytes032, carrotsmuggler, cccz, chaduke, codeislight, cryptonue, doublesharp, evan, fs0c, glcanvas, gzeon, hansfriese, hihen, hl_, holme, horsefacts, ladboy233, lukris02, mahdikarimi, manikantanynala97, martin, mert_eren, mrpathfindr, omis, peakbolt, peanuts, prestoncodes, rbserver, rvierdiiev, sashik_eth, timongty, tnevler, trustindistrust, usmannk, wait, yixxas, zadaru13, zaskoh
0.7512 USDC - $0.75
https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/Quest.sol#L76
function withdrawFee() in Erc20Quest.sol allows to withdraw the protocol fee to the recipient set in contract. Generally it should be an administrative operations (the owners decide when to perform fee withdrawal), which also can be confirmed by looking at modifier onlyAdminWithdrawAfterEnd Also, in case of a compromise of that address (fee recipient) potential attacker has easy way to just obtain protocol fees there.
The issue is function is public due to lack of owner check in modifier named onlyAdminWithdrawAfterEnd.
However
The modifier is here: https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/Quest.sol#L76 and it only checks for quest end, and not for being an admin. Function withdrawFee https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/Erc20Quest.sol#L102 can be invoked by anyone, as long as quest ended. Note, that if that modifier in current shape is used in the future in other operations, this may lead to serious security flaws.
Manual approach
Add ownership check to that modifier.
#0 - c4-judge
2023-02-05T04:38:27Z
kirk-baird marked the issue as duplicate of #23
#1 - c4-judge
2023-02-14T08:54:38Z
kirk-baird changed the severity to 3 (High Risk)
#2 - c4-judge
2023-02-14T09:00:16Z
kirk-baird marked the issue as satisfactory
π Selected for report: carlitox477
Also found by: 0xRobocop, 0xbepresent, ArmedGoose, Atarpara, IllIllI, Tointer, UdarTeam, adriro, betweenETHlines, cryptojedi88, evan, glcanvas, gzeon, horsefacts, ladboy233, libratus, lukris02, luxartvinsec, manikantanynala97, minhquanym, mookimgo, p4st13r4, simon135, thekmj, trustindistrust
9.3488 USDC - $9.35
Judge has assessed an item in Issue #206 as 2 risk. The relevant finding follows:
Issue 2: receipts are not burned upon claiming reward.
In my opinion, current system of just claiming some tokens to be "used" has some downsides:
in any claim check, users spend gas to iterate over these tokens too etc. there are two loops in only claim function that checks every token of user
#0 - c4-judge
2023-02-16T07:10:53Z
kirk-baird marked the issue as duplicate of #119
#1 - c4-judge
2023-02-16T07:10:58Z
kirk-baird marked the issue as partial-50
#2 - c4-judge
2023-02-16T07:12:54Z
kirk-baird marked the issue as not a duplicate
#3 - c4-judge
2023-02-16T07:13:13Z
kirk-baird marked the issue as duplicate of #552
#4 - c4-judge
2023-02-16T07:13:51Z
kirk-baird marked the issue as partial-50
π Selected for report: simon135
Also found by: 0x4non, ArmedGoose, ForkEth, zaskoh
888.5808 USDC - $888.58
https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/Quest.sol#L114
State change is performed after call to _transferRewards, which under the hood executes _safeTransferFrom to the sender, which may also be a contract. Function claim() also does not have nonReentrant modifier, which might allow malicious users to reenter the function for example if transferred token contains a Callback function (e.g. onTokenReceive etc.).
https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/Quest.sol#L114
Manual approach
Change order, put current line 115 before current line 114 so no state updates are performed after call to external contract.
#0 - c4-judge
2023-02-05T04:58:37Z
kirk-baird marked the issue as duplicate of #239
#1 - kirk-baird
2023-02-05T04:59:08Z
Partial credit since the warden does not explain the impact to the protocol.
#2 - c4-judge
2023-02-05T04:59:13Z
kirk-baird marked the issue as partial-25
#3 - c4-judge
2023-02-14T09:22:31Z
kirk-baird marked the issue as satisfactory
π Selected for report: CodingNameKiki
Also found by: 0x1f8b, 0x4non, 0x5rings, 0xAgro, 0xMirce, 0xRobocop, 0xSmartContract, 0xackermann, AkshaySrivastav, ArmedGoose, Aymen0909, BClabs, Breeje, Dewaxindo, Diana, HollaDieWaldfee, IceBear, IllIllI, Iurii3, Josiah, Krayt, PaludoX0, Phenomana, PrasadLak, RaymondFam, Rolezn, SaeedAlipoor01988, SaharDevep, SleepingBugs, adriro, arialblack14, bin2chen, brevis, btk, carlitox477, carrotsmuggler, catellatech, chaduke, chrisdior4, cryptonue, cryptostellar5, csanuragjain, ddimitrov22, fellows, glcanvas, halden, hl_, horsefacts, jat, joestakey, kenta, libratus, lukris02, luxartvinsec, manikantanynala97, martin, matrix_0wl, nadin, nicobevi, oberon, peanuts, prestoncodes, rbserver, sakshamguruji, sashik_eth, sayan, seeu, thekmj, tnevler, trustindistrust, tsvetanovv, xAriextz, zadaru13, zaskoh
17.196 USDC - $17.20
SVG is rendering with unsanitized special charaters. The rendering function is using user input (string) (string memory questId_) to output an SVG. This might be lead to issues in the future, since SVG format allows for embedding javascript scripts inside, so potentially, if that function has any other use in the future, it might be abused to generate malicious images. However, at the moment probability is low, since it uses existing questId is created by administrative role, and anyone in posession of administrative role have plenty of other attack vectors than xssing users.
Occurence: https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/ReceiptRenderer.sol#L100
Remediation: Filter special characters, at least <, >, ", ' ideally allow only alphanumeric ones in the function.
References: https://github.com/code-423n4/2022-01-timeswap-findings/issues/131 https://securiumsolutions.com/blog/xss-through-svg-file-upload/
Issue 2: receipts are not burned upon claiming reward.
In my opinion, current system of just claiming some tokens to be "used" has some downsides:
Recommendation: the receipts should be burned upon reward is claimed for them, removing them from the circulating supply. This decreases gas consumption on users side and prevents potential scam attack vectors in the future.
#0 - c4-sponsor
2023-02-08T04:22:47Z
jonathandiep marked the issue as disagree with severity
#1 - c4-sponsor
2023-02-08T04:22:59Z
jonathandiep marked the issue as sponsor disputed
#2 - jonathandiep
2023-02-08T04:24:13Z
While malicious code could technically exist inside the svg, it will be up to frontends to prevent xss. We also do not want to burn receipts (users should keep them)
#3 - c4-judge
2023-02-16T07:12:48Z
kirk-baird marked the issue as grade-b