Back to betweenETHlines's contests

RabbitHole Quest Protocol contest - betweenETHlines's results

A protocol to distribute token rewards for completing on-chain tasks.

General Information

Platform: Code4rena

Start Date: 25/01/2023

Pot Size: $36,500 USDC

Total HM: 11

Participants: 173

Period: 5 days

Judge: kirk-baird

Total Solo HM: 1

Id: 208

League: ETH

RabbitHole

Findings Distribution

Researcher Performance

Rank: 45/173

Findings: 3

Award: $54.60

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryRabbitHole

Findings Information

🌟 Selected for report: carlitox477

Also found by: 0xRobocop, 0xbepresent, ArmedGoose, Atarpara, IllIllI, Tointer, UdarTeam, adriro, betweenETHlines, cryptojedi88, evan, glcanvas, gzeon, horsefacts, ladboy233, libratus, lukris02, luxartvinsec, manikantanynala97, minhquanym, mookimgo, p4st13r4, simon135, thekmj, trustindistrust

Awards

18.6976 USDC - $18.70

Labels

bug
2 (Med Risk)
satisfactory
duplicate-552

External Links

Link to GitHub issue

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L104

Vulnerability details

Impact

If the claim function runs out of gas, the caller can never claim any rewards without transferring the nfts to another address first

Proof of Concept

Currently, the claim function loops over the msg.senders NFT's. If this list ever becomes too large, the function will run out of gas.

Tools Used

VSCode

Consider implementing pagination for reward claiming.

#0 - c4-judge

2023-02-06T23:10:02Z

kirk-baird marked the issue as duplicate of #135

#1 - c4-judge

2023-02-14T09:17:02Z

kirk-baird marked the issue as satisfactory

Findings Information

🌟 Selected for report: AkshaySrivastav

Also found by: KIntern_NA, SovaSlava, Tointer, Tricko, V_B, __141345__, betweenETHlines, bin2chen, cccz, critical-or-high, glcanvas, halden, hihen, jesusrod15, ladboy233, libratus, m9800, minhquanym, omis, peakbolt, rbserver, romand, rvierdiiev, wait, zaskoh

Awards

18.6976 USDC - $18.70

Labels

bug
2 (Med Risk)
satisfactory
duplicate-107

External Links

Link to GitHub issue

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L222

Vulnerability details

Impact

A replay attack could lead to undesired minting of NFTS from other privileged contracts and on other chains

Proof of Concept

Currently, the mintReceipt function mints one NFT to the msg.sender if the signature is valid. However, since the signature only consists of msg.sender and _questId, it becomes vulnerable for a replay attack.

Consider the following scenario:

The Rabbithole team decides to go crosschain with the same contracts. Alice got an approved signature for questId 1 on the origin chain. However, this signature is now also valid on the new chain.

Furthermore, this issue would also be present if a new QuestFactory is deployed and used.

Tools Used

VSCode

Consider simply add the chainId and address(this) to the signature in order to reduce the risk of replay attacks. Moreover it might make sense to implement an expire timestamp.

#0 - c4-judge

2023-02-06T23:04:39Z

kirk-baird marked the issue as duplicate of #45

#1 - c4-judge

2023-02-14T09:57:54Z

kirk-baird marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter