Platform: Code4rena
Start Date: 25/01/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 173
Period: 5 days
Judge: kirk-baird
Total Solo HM: 1
Id: 208
League: ETH
Rank: 165/173
Findings: 1
Award: $2.59
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: adriro
Also found by: 0xMAKEOUTHILL, 0xMirce, 7siech, AkshaySrivastav, AlexCzm, Awesome, Aymen0909, Cryptor, Deivitto, DimitarDimitrov, ElKu, Garrett, Jayus, Josiah, Kenshin, KrisApostolov, RaymondFam, SovaSlava, Timenov, UdarTeam, amaechieth, btk, c3phas, codeislight, fellows, frankudoags, gzeon, hansfriese, luxartvinsec, millersplanet, mookimgo, navinavu, oberon, paspe, pavankv, petersspetrov, pfapostol, prestoncodes, rbserver, sakshamguruji, shark, thekmj, trustindistrust, tsvetanovv, usmannk, vagrant, vanko1, xAriextz, yosuke
2.5852 USDC - $2.59
The Owner can set the minterAddress at any point to an arbitrary address that is not the original QuestFactory via: https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L83 An exploit could look like this:
Also possible, but less likely in my opinion: He could grief other participants via minting an infinte amount of tokens to participants address. This prevent them from successfully calling Quest.claim() due to transaction running out of gas: https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L99 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L104 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L113
But simply setting the minterAddress to something other than the QuestFactory will already be sufficient since that will break QuestFactory.mintReceipt()
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L83 An exploit could look like this:
Also possible, but less likely in my opinion: He could grief other participants via minting an infinte amount of tokens to participants address. This prevent them from successfully calling Quest.claim() due to transaction running out of gas: https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L99 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L104 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L113
Manual Analysis
I am not sure whether it is needed to have a function that can set the minterAddress after it has been set in Initialze(). Remove the setMinterAddress function if possible.
#0 - c4-judge
2023-02-06T08:58:21Z
kirk-baird marked the issue as duplicate of #9
#1 - c4-judge
2023-02-14T08:34:07Z
kirk-baird changed the severity to 3 (High Risk)
#2 - c4-judge
2023-02-14T08:34:07Z
kirk-baird changed the severity to 3 (High Risk)
#3 - c4-judge
2023-02-14T08:37:39Z
kirk-baird marked the issue as satisfactory