Platform: Code4rena
Start Date: 25/01/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 173
Period: 5 days
Judge: kirk-baird
Total Solo HM: 1
Id: 208
League: ETH
Rank: 30/173
Findings: 3
Award: $145.31
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: adriro
Also found by: 0xRobocop, 0xmrhoodie, 0xngndev, AkshaySrivastav, ArmedGoose, Atarpara, Bauer, CodingNameKiki, ElKu, Garrett, HollaDieWaldfee, IllIllI, Iurii3, KIntern_NA, KmanOfficial, Lotus, M4TZ1P, MiniGlome, Ruhum, SovaSlava, bin2chen, bytes032, carrotsmuggler, cccz, chaduke, codeislight, cryptonue, doublesharp, evan, fs0c, glcanvas, gzeon, hansfriese, hihen, hl_, holme, horsefacts, ladboy233, lukris02, mahdikarimi, manikantanynala97, martin, mert_eren, mrpathfindr, omis, peakbolt, peanuts, prestoncodes, rbserver, rvierdiiev, sashik_eth, timongty, tnevler, trustindistrust, usmannk, wait, yixxas, zadaru13, zaskoh
0.7512 USDC - $0.75
Due to withdraw token can be used by anyone and doesn't update protocolFee, with every call it will transfer token protocolFee amount and will drain all of other people's money to protocolFeeRecepientAddress.
That is a hardhat test for POC. It can be tested by pasting these code into the test/Erc20Quest.spec.ts https://imgur.com/a/sZp3DQS
It can be arranged for calling at most one time.
#0 - c4-judge
2023-02-03T10:50:11Z
kirk-baird marked the issue as duplicate of #23
#1 - c4-judge
2023-02-14T09:00:37Z
kirk-baird marked the issue as satisfactory
🌟 Selected for report: adriro
Also found by: 0xRobocop, 0xbepresent, Breeje, CodingNameKiki, HollaDieWaldfee, Kenshin, M4TZ1P, Ruhum, Tricko, badman, bin2chen, carrotsmuggler, cccz, csanuragjain, glcanvas, joestakey, lukris02, m9800, mert_eren, peakbolt, peanuts, prestoncodes, rvierdiiev, sashik_eth
21.6061 USDC - $21.61
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L219-L230 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L91-L93 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L84-L85
Signature can be earned before contest finish but NFT can be minted after that. If a malicous user wait for the end of the contest and owner's withdraw remaining amount for minting NFT, then fee recepient or other users' claim functions will unexpecedly revert due to lack of token.
withdrawRemainingTokens function in ERC20 contract assume that just nft minted address can take remaining tokens and feerecepient work with minted NFT amount, so this function give all other tokens to user which cannot be claimed by nft minters. However a user can mint even after the quote is over with valid signature which can be earned during quote and has not been used yet. With numeric example,lets assume at most 10 people can take token and 7 people mint NFT before owner withdraw remains . So owner withdraw 3*rewardAmount from contract.However 1 more person has valid signature and after owner withdraw money if someone's money inside or withdrawfee has not been used ,malicious user can take their money by minting nft and claiming reward. There is no checking function for stop him. After that claim or withdrawfee functions for other users will revert due to insufficent balance.
There can be limiting for minting NFT after competation with using block.timestamp.
#0 - c4-judge
2023-02-05T05:04:07Z
kirk-baird marked the issue as duplicate of #22
#1 - c4-judge
2023-02-14T08:42:51Z
kirk-baird changed the severity to 2 (Med Risk)
#2 - c4-judge
2023-02-14T08:48:18Z
kirk-baird marked the issue as satisfactory
🌟 Selected for report: carrotsmuggler
Also found by: AkshaySrivastav, ElKu, HollaDieWaldfee, Iurii3, KmanOfficial, adriro, bin2chen, evan, hansfriese, hl_, mert_eren, omis, peanuts
122.948 USDC - $122.95
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L85 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L96-L98
Due to protocolsFee doesnt update with withdrawFee withdraw remaining function doesn't understand protocol fees withdrawn before and give missing money for owner.
Contract token balance decrease with withdrawFee however protocolFee doesnt update. While calculating remaining tokens,even if withdrawFee has been called before, it still take into account of this fee amount in line-85,so it gives missing amount of token to quote owner.
Update protocolFee() after using withdrawFee().
#0 - c4-judge
2023-02-03T10:49:51Z
kirk-baird marked the issue as duplicate of #42
#1 - c4-judge
2023-02-06T08:18:19Z
kirk-baird marked the issue as not a duplicate
#2 - c4-judge
2023-02-06T08:18:41Z
kirk-baird marked the issue as duplicate of #61
#3 - c4-judge
2023-02-14T09:59:51Z
kirk-baird marked the issue as satisfactory
#4 - c4-judge
2023-02-23T23:48:11Z
kirk-baird changed the severity to 2 (Med Risk)