RabbitHole Quest Protocol contest - ForkEth's results

A protocol to distribute token rewards for completing on-chain tasks.

General Information

Platform: Code4rena

Start Date: 25/01/2023

Pot Size: $36,500 USDC

Total HM: 11

Participants: 173

Period: 5 days

Judge: kirk-baird

Total Solo HM: 1

Id: 208

League: ETH

RabbitHole

Findings Distribution

Researcher Performance

Rank: 10/173

Findings: 2

Award: $905.78

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository RabbitHole

Findings Information

🌟 Selected for report: simon135

Also found by: 0x4non, ArmedGoose, ForkEth, zaskoh

Labels

bug

2 (Med Risk)

disagree with severity

satisfactory

duplicate-523

Awards

888.5808 USDC - $888.58

External Links

Link to GitHub issue

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L114-L115 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L81-L87

Vulnerability details

Impact

The claim() function declared in the Quest.sol does not have a reentrancy guard. Since the "redeemedTokens" are only updated after the transference there is an opportunity to call the function "withdrawRemainingTokens" from ERC20Quest.sol via fallback without the redeemedTokens getting updated. The following statement, states that only non-necessary tokens should be available to be retrieved: "Every receipt minted should still be able to claim rewards". Using the reentrancy previously mentioned a mal-intentioned owner that has a complete Quest can withdraw more than the maximum amount of tokens leaving the contract without enough funds to pay everyone that has completed quests.

Proof of Concept

Malicious owner: claim() --> fallback() call onlyAdminWithdrawAfterEnd(owner_address)

last user that claims a quest: claim() //will fail since there are no more tokens in the contract

Recommended Mitigation Steps

Perform the "redeemedTokens += redeemableTokenCount;" before the _transferRewards.

#0 - c4-judge
2023-02-05T04:58:22Z

kirk-baird marked the issue as primary issue

#1 - c4-sponsor
2023-02-07T20:41:47Z

waynehoover marked the issue as disagree with severity

#2 - waynehoover
2023-02-07T20:42:50Z

This is a centralization risk, or like the poster noted only a mal-intentioned owner could implement this. This isn’t a trustless protocol and we have control over what “owners” are allowed to interact with it.

#3 - c4-judge
2023-02-14T09:22:13Z

kirk-baird marked issue #523 as primary and marked this issue as a duplicate of 523

#4 - c4-judge
2023-02-14T09:22:27Z

kirk-baird marked the issue as satisfactory

RabbitHole Quest Protocol contest - ForkEth's results

A protocol to distribute token rewards for completing on-chain tasks.

General Information

Findings Distribution

Researcher Performance

External Links

[M-05] Erc20Quest Reentrancy on claim() - $888.58

Findings Information

Labels

Awards

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Recommended Mitigation Steps

#0 - c4-judge2023-02-05T04:58:22Z

#1 - c4-sponsor2023-02-07T20:41:47Z

#2 - waynehoover2023-02-07T20:42:50Z

#3 - c4-judge2023-02-14T09:22:13Z

#4 - c4-judge2023-02-14T09:22:27Z

#0 - c4-judge
2023-02-05T04:58:22Z

#1 - c4-sponsor
2023-02-07T20:41:47Z

#2 - waynehoover
2023-02-07T20:42:50Z

#3 - c4-judge
2023-02-14T09:22:13Z

#4 - c4-judge
2023-02-14T09:22:27Z