Platform: Code4rena
Start Date: 25/01/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 173
Period: 5 days
Judge: kirk-baird
Total Solo HM: 1
Id: 208
League: ETH
Rank: 142/173
Findings: 3
Award: $10.39
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: adriro
Also found by: 0xMAKEOUTHILL, 0xMirce, 7siech, AkshaySrivastav, AlexCzm, Awesome, Aymen0909, Cryptor, Deivitto, DimitarDimitrov, ElKu, Garrett, Jayus, Josiah, Kenshin, KrisApostolov, RaymondFam, SovaSlava, Timenov, UdarTeam, amaechieth, btk, c3phas, codeislight, fellows, frankudoags, gzeon, hansfriese, luxartvinsec, millersplanet, mookimgo, navinavu, oberon, paspe, pavankv, petersspetrov, pfapostol, prestoncodes, rbserver, sakshamguruji, shark, thekmj, trustindistrust, tsvetanovv, usmannk, vagrant, vanko1, xAriextz, yosuke
2.5852 USDC - $2.59
Anyone may mint rabbit hole receipts. Because the quest id is specified by the minter, this means that any user may drain all quests of their rewards via infinite mint.
The onlyMinter modifier does not have any require statements. As is, the msg.sender == minterAddress; check is a no-op.
Manual review
Change msg.sender == minterAddress; to require(msg.sender == minterAddress);
To prevent regression, I recommend adding the following test to test/RabbitHoleReceipt.spec.ts
describe('onlyMinterCanMint', () => { it('reverts when mint is called without minter role', async () => { await expect( RHReceipt.connect(firstAddress).mint(firstAddress.address, 'def456') ).to.be.reverted }) })
#0 - c4-judge
2023-02-03T09:26:57Z
kirk-baird marked the issue as duplicate of #9
#1 - c4-judge
2023-02-14T08:39:35Z
kirk-baird marked the issue as satisfactory
🌟 Selected for report: adriro
Also found by: 0xRobocop, 0xmrhoodie, 0xngndev, AkshaySrivastav, ArmedGoose, Atarpara, Bauer, CodingNameKiki, ElKu, Garrett, HollaDieWaldfee, IllIllI, Iurii3, KIntern_NA, KmanOfficial, Lotus, M4TZ1P, MiniGlome, Ruhum, SovaSlava, bin2chen, bytes032, carrotsmuggler, cccz, chaduke, codeislight, cryptonue, doublesharp, evan, fs0c, glcanvas, gzeon, hansfriese, hihen, hl_, holme, horsefacts, ladboy233, lukris02, mahdikarimi, manikantanynala97, martin, mert_eren, mrpathfindr, omis, peakbolt, peanuts, prestoncodes, rbserver, rvierdiiev, sashik_eth, timongty, tnevler, trustindistrust, usmannk, wait, yixxas, zadaru13, zaskoh
0.7512 USDC - $0.75
After the specified deadline, anyone may call functions with the onlyAdminWithdrawAfterEnd modifier, even if they are not an admin. This allows any user to call admin-only functions.
The onlyAdminWithdrawAfterEnd modifier performs no checks on msg.sender, despite being labeled onlyAdmin.
There are cases already where the onlyAdminWithdrawAfterEnd modifier is used on its own, without onlyOwner, due to the naming implying an admin check. For example: https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L102-L104
Manual review.
Add a check for the owner role in onlyAdminWithdrawAfterEnd.
#0 - c4-judge
2023-02-03T09:36:25Z
kirk-baird marked the issue as duplicate of #23
#1 - c4-judge
2023-02-14T08:54:38Z
kirk-baird changed the severity to 3 (High Risk)
#2 - c4-judge
2023-02-14T09:00:40Z
kirk-baird marked the issue as satisfactory
🌟 Selected for report: RaymondFam
Also found by: 0xMirce, AkshaySrivastav, AlexCzm, Aymen0909, BClabs, CodingNameKiki, ElKu, HollaDieWaldfee, Josiah, KIntern_NA, MiniGlome, StErMi, adriro, bin2chen, cccz, chaduke, csanuragjain, gzeon, hihen, holme, libratus, minhquanym, omis, peakbolt, peanuts, rbserver, rvierdiiev, timongty, ubermensch, usmannk, wait, zaskoh
7.046 USDC - $7.05
Admins may withdraw tokens from quests even though there are remaining unclaimed receipts. This leads to a loss of funds for the receipt holders.
In Erc20Quest, there are checks that ensure that even on admin withdrawal, sufficient funds remain to cover already-minted but yet-unclaimed receipts: https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L78-L87
However, in Erc1155Quest there are no such checks: https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc1155Quest.sol#L54-L63
For Erc1155Quests, admin withdrawal will cause loss of funds for holders of minted but unclaimed receipts. This seems to be an error as there are checks in Erc20Quest that guard against this.
Manual review.
Change the admin withdrawal amount in Erc1155Quest such on withdrawal, (protocolFees + unclaimedTokenRewards) num of rewardTokens are left behind for currently minted but unclaimed receipts.
#0 - c4-judge
2023-02-03T09:37:23Z
kirk-baird marked the issue as duplicate of #42
#1 - c4-judge
2023-02-10T05:03:11Z
kirk-baird changed the severity to QA (Quality Assurance)
#2 - c4-judge
2023-02-10T05:12:15Z
This previously downgraded issue has been upgraded by kirk-baird
#3 - c4-judge
2023-02-14T09:28:19Z
kirk-baird marked the issue as satisfactory
#4 - c4-judge
2023-02-23T23:49:22Z
kirk-baird changed the severity to 2 (Med Risk)