Platform: Code4rena
Start Date: 25/01/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 173
Period: 5 days
Judge: kirk-baird
Total Solo HM: 1
Id: 208
League: ETH
Rank: 158/173
Findings: 1
Award: $2.59
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: adriro
Also found by: 0xMAKEOUTHILL, 0xMirce, 7siech, AkshaySrivastav, AlexCzm, Awesome, Aymen0909, Cryptor, Deivitto, DimitarDimitrov, ElKu, Garrett, Jayus, Josiah, Kenshin, KrisApostolov, RaymondFam, SovaSlava, Timenov, UdarTeam, amaechieth, btk, c3phas, codeislight, fellows, frankudoags, gzeon, hansfriese, luxartvinsec, millersplanet, mookimgo, navinavu, oberon, paspe, pavankv, petersspetrov, pfapostol, prestoncodes, rbserver, sakshamguruji, shark, thekmj, trustindistrust, tsvetanovv, usmannk, vagrant, vanko1, xAriextz, yosuke
2.5852 USDC - $2.59
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L58-L61 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L47-L50 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L98 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L83 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L92-L97
The modifiers holding the name "onlyMinter", defined in the "contracts/RabbitHoleReceipt.sol" and "contracts/RabbitHoleTickets.sol" files do not implement an if or require checks. The lack of checking means that the modifiers do nothing about regulating the use of the "mint" function in the "contracts/RabbitHoleReceipt.sol" file and the "mint", and "mintBatch" functions in the "contracts/RabbitHoleTickets.sol" file respectively. No matter the if the user calling one of the functions has the required privileges or not they will always be allowed to execute the transaction.
The definition of the modifier in the "contracts/RabbitHoleReceipt.sol" file: https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L58-L61
The definition of the modifier in the "contracts/RabbitHoleTickets.sol" file: https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L47-L50
Usage of the modifier in the "contracts/RabbitHoleReceipt.sol" file: https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L98
Usage of the modifier in the "contracts/RabbitHoleTickets.sol" file: https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L83
Implement a require or if check.
The code in the following examples assumes that the modifiers' functionality is supposed to check whether the user is the minter address.
Example with require: require(msg.sender == minterAddress, "Some error message here:");
Example with if: if (msg.sender == minterAddress) revert CustomError();
#0 - c4-judge
2023-02-06T23:37:01Z
kirk-baird marked the issue as duplicate of #9
#1 - c4-judge
2023-02-14T08:36:42Z
kirk-baird marked the issue as satisfactory