Back to mahdikarimi's contests

RabbitHole Quest Protocol contest - mahdikarimi's results

A protocol to distribute token rewards for completing on-chain tasks.

General Information

Platform: Code4rena

Start Date: 25/01/2023

Pot Size: $36,500 USDC

Total HM: 11

Participants: 173

Period: 5 days

Judge: kirk-baird

Total Solo HM: 1

Id: 208

League: ETH

RabbitHole

Findings Distribution

Researcher Performance

Rank: 169/173

Findings: 1

Award: $0.75

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryRabbitHole

Findings Information

🌟 Selected for report: adriro

Also found by: 0xRobocop, 0xmrhoodie, 0xngndev, AkshaySrivastav, ArmedGoose, Atarpara, Bauer, CodingNameKiki, ElKu, Garrett, HollaDieWaldfee, IllIllI, Iurii3, KIntern_NA, KmanOfficial, Lotus, M4TZ1P, MiniGlome, Ruhum, SovaSlava, bin2chen, bytes032, carrotsmuggler, cccz, chaduke, codeislight, cryptonue, doublesharp, evan, fs0c, glcanvas, gzeon, hansfriese, hihen, hl_, holme, horsefacts, ladboy233, lukris02, mahdikarimi, manikantanynala97, martin, mert_eren, mrpathfindr, omis, peakbolt, peanuts, prestoncodes, rbserver, rvierdiiev, sashik_eth, timongty, tnevler, trustindistrust, usmannk, wait, yixxas, zadaru13, zaskoh

Awards

0.7512 USDC - $0.75

Labels

bug
3 (High Risk)
satisfactory
duplicate-605

External Links

Link to GitHub issue

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L102-L104

Vulnerability details

Impact

protocolFeeRecipient can withraw fee multiple times without limit until there is no balance in contract

Proof of Concept

The only check applied to withdrawFee function is onlyAdminWithrawAfterEnd wich makes sure the endtime of quest has arrived due that users may claim their rewards after quest endtime the contract should have balance and due that this function can be called multiple times regardless of it's called before or not , even if admin didn't do that others can do at no cost because it's a public function .

Scenario1 : The quest has ended and some users didn't claim their rewards yet , admin calls withdrawFee function and sends protocolFee to feeReceipent and at the same time feeReceipent calls this function and even everyone can do this until there is no balance in contract and users that have not claimed to rewards will not be able to do this . .

Tools Used

Manual Review

add a state boolean variable for example called feeClaimed and false value in time of construction which indicates fee has been claimed or not then declare a modifier that checks feeClaimed is false otherwise it should revert and add this modifier to withdrawFee function and at the end of the function execution set this variable to true , this way after one time call of this function It's not possible to call it again .

#0 - c4-judge

2023-02-05T05:14:51Z

kirk-baird marked the issue as duplicate of #23

#1 - c4-judge

2023-02-14T09:00:07Z

kirk-baird marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter