Back to SovaSlava's contests

RabbitHole Quest Protocol contest - SovaSlava's results

A protocol to distribute token rewards for completing on-chain tasks.

General Information

Platform: Code4rena

Start Date: 25/01/2023

Pot Size: $36,500 USDC

Total HM: 11

Participants: 173

Period: 5 days

Judge: kirk-baird

Total Solo HM: 1

Id: 208

League: ETH

RabbitHole

Findings Distribution

Researcher Performance

Rank: 83/173

Findings: 3

Award: $21.67

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryRabbitHole

Findings Information

🌟 Selected for report: adriro

Also found by: 0xMAKEOUTHILL, 0xMirce, 7siech, AkshaySrivastav, AlexCzm, Awesome, Aymen0909, Cryptor, Deivitto, DimitarDimitrov, ElKu, Garrett, Jayus, Josiah, Kenshin, KrisApostolov, RaymondFam, SovaSlava, Timenov, UdarTeam, amaechieth, btk, c3phas, codeislight, fellows, frankudoags, gzeon, hansfriese, luxartvinsec, millersplanet, mookimgo, navinavu, oberon, paspe, pavankv, petersspetrov, pfapostol, prestoncodes, rbserver, sakshamguruji, shark, thekmj, trustindistrust, tsvetanovv, usmannk, vagrant, vanko1, xAriextz, yosuke

Awards

2.5852 USDC - $2.59

Labels

bug
3 (High Risk)
satisfactory
duplicate-608

External Links

Link to GitHub issue

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L98 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L83 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L97

Vulnerability details

Impact

Modifier onlyMinter miss require(). So code will always continue execution.

Proof of Concept

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L58 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L47

modifier onlyMinter() {
require(msg.sender == minterAddress, "only minter");
_;
}

#0 - c4-judge

2023-02-05T04:38:43Z

kirk-baird marked the issue as duplicate of #9

#1 - c4-judge

2023-02-05T04:38:48Z

kirk-baird marked the issue as partial-25

#2 - kirk-baird

2023-02-05T04:38:58Z

Partial credit due to lack of description of exploit

#3 - c4-judge

2023-02-14T08:39:16Z

kirk-baird marked the issue as satisfactory

Findings Information

🌟 Selected for report: adriro

Also found by: 0xRobocop, 0xmrhoodie, 0xngndev, AkshaySrivastav, ArmedGoose, Atarpara, Bauer, CodingNameKiki, ElKu, Garrett, HollaDieWaldfee, IllIllI, Iurii3, KIntern_NA, KmanOfficial, Lotus, M4TZ1P, MiniGlome, Ruhum, SovaSlava, bin2chen, bytes032, carrotsmuggler, cccz, chaduke, codeislight, cryptonue, doublesharp, evan, fs0c, glcanvas, gzeon, hansfriese, hihen, hl_, holme, horsefacts, ladboy233, lukris02, mahdikarimi, manikantanynala97, martin, mert_eren, mrpathfindr, omis, peakbolt, peanuts, prestoncodes, rbserver, rvierdiiev, sashik_eth, timongty, tnevler, trustindistrust, usmannk, wait, yixxas, zadaru13, zaskoh

Awards

0.3756 USDC - $0.38

Labels

bug
3 (High Risk)
partial-50
upgraded by judge
duplicate-605

External Links

Link to GitHub issue

Modifier onlyAdminWithdrawAfterEnd() in Quest.sol dont have check of msg.sender. Advice to rename onlyAdminWithdrawAfterEnd to withdrawAfterEnd

    modifier onlyAdminWithdrawAfterEnd() {
        if (block.timestamp < endTime) revert NoWithdrawDuringClaim();
        _;
//  NO CHECKS MSG.SENDER == OWNER
    }

its not critical, because receiver of fee is set in constructor

#0 - c4-judge

2023-02-05T06:00:26Z

kirk-baird changed the severity to 3 (High Risk)

#1 - c4-judge

2023-02-05T06:00:26Z

kirk-baird changed the severity to 3 (High Risk)

#2 - c4-judge

2023-02-05T06:00:34Z

kirk-baird marked the issue as duplicate of #23

#3 - c4-judge

2023-02-14T08:59:16Z

kirk-baird marked the issue as satisfactory

#4 - c4-judge

2023-02-14T08:59:34Z

kirk-baird marked the issue as partial-50

Findings Information

🌟 Selected for report: AkshaySrivastav

Also found by: KIntern_NA, SovaSlava, Tointer, Tricko, V_B, __141345__, betweenETHlines, bin2chen, cccz, critical-or-high, glcanvas, halden, hihen, jesusrod15, ladboy233, libratus, m9800, minhquanym, omis, peakbolt, rbserver, romand, rvierdiiev, wait, zaskoh

Awards

18.6976 USDC - $18.70

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
duplicate-107

External Links

Link to GitHub issue

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L222

Vulnerability details

Impact

If project will be deployed to different blockchains, user can use one hash & signature for call function mintReceipt on one blockchain and after that on another blockchain. Because hash dont has chainId.

 if (keccak256(abi.encodePacked(msg.sender, questId_, block.chainid)) != hash_) revert InvalidHash();

#0 - c4-judge

2023-02-05T04:39:28Z

kirk-baird marked the issue as duplicate of #45

#1 - c4-judge

2023-02-14T09:36:08Z

kirk-baird changed the severity to 2 (Med Risk)

#2 - c4-judge

2023-02-14T09:37:01Z

kirk-baird marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter