Back to mrpathfindr's contests

RabbitHole Quest Protocol contest - mrpathfindr's results

A protocol to distribute token rewards for completing on-chain tasks.

General Information

Platform: Code4rena

Start Date: 25/01/2023

Pot Size: $36,500 USDC

Total HM: 11

Participants: 173

Period: 5 days

Judge: kirk-baird

Total Solo HM: 1

Id: 208

League: ETH

RabbitHole

Findings Distribution

Researcher Performance

Rank: 167/173

Findings: 1

Award: $0.75

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryRabbitHole

Findings Information

🌟 Selected for report: adriro

Also found by: 0xRobocop, 0xmrhoodie, 0xngndev, AkshaySrivastav, ArmedGoose, Atarpara, Bauer, CodingNameKiki, ElKu, Garrett, HollaDieWaldfee, IllIllI, Iurii3, KIntern_NA, KmanOfficial, Lotus, M4TZ1P, MiniGlome, Ruhum, SovaSlava, bin2chen, bytes032, carrotsmuggler, cccz, chaduke, codeislight, cryptonue, doublesharp, evan, fs0c, glcanvas, gzeon, hansfriese, hihen, hl_, holme, horsefacts, ladboy233, lukris02, mahdikarimi, manikantanynala97, martin, mert_eren, mrpathfindr, omis, peakbolt, peanuts, prestoncodes, rbserver, rvierdiiev, sashik_eth, timongty, tnevler, trustindistrust, usmannk, wait, yixxas, zadaru13, zaskoh

Awards

0.7512 USDC - $0.75

Labels

bug
3 (High Risk)
satisfactory
upgraded by judge
duplicate-605

External Links

Link to GitHub issue

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L102

Vulnerability details

Impact

Detailed description of the impact of this finding.

Unauthorised or unintended user can trigger protocolFeeRecipient funds to be sent to the protocolFeeRecipient.

An attacker can use vulnerability to slow down/ holt business operations due to discrepancies between the caller and receiver of funds.

Since the intended recipient is clearly defined, the intended caller should be the only entity capable of triggering the function.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L102

Tools Used

Manual Search

Apply modifier to ensure only the protocolFeeRecipient can call the withdrawFee() function.

Do this

    modifier onlyOwner() {
        require(msg.sender == protocolFeeRecipient, "Not protocolFeeRecipient!");
        _;
    }


  /// @notice Sends the protocol fee to the protocolFeeRecipient
    /// @dev Only callable when the quest is ended and if msg.sender is protocolFeeRecipient

    function withdrawFee() public onlyprotocolFeeRecipient onlyAdminWithdrawAfterEnd {
        IERC20(rewardToken).safeTransfer(protocolFeeRecipient, protocolFee());
    }

Instead of this


  /// @notice Sends the protocol fee to the protocolFeeRecipient

    function withdrawFee() public onlyprotocolFeeRecipient onlyAdminWithdrawAfterEnd {
        IERC20(rewardToken).safeTransfer(protocolFeeRecipient, protocolFee());
    }

#0 - c4-judge

2023-02-05T05:17:11Z

kirk-baird marked the issue as duplicate of #23

#1 - c4-judge

2023-02-14T08:54:39Z

kirk-baird changed the severity to 3 (High Risk)

#2 - c4-judge

2023-02-14T09:00:05Z

kirk-baird marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter