Platform: Code4rena
Start Date: 25/01/2023
Pot Size: $36,500 USDC
Total HM: 11
Participants: 173
Period: 5 days
Judge: kirk-baird
Total Solo HM: 1
Id: 208
League: ETH
Rank: 166/173
Findings: 1
Award: $2.59
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: adriro
Also found by: 0xMAKEOUTHILL, 0xMirce, 7siech, AkshaySrivastav, AlexCzm, Awesome, Aymen0909, Cryptor, Deivitto, DimitarDimitrov, ElKu, Garrett, Jayus, Josiah, Kenshin, KrisApostolov, RaymondFam, SovaSlava, Timenov, UdarTeam, amaechieth, btk, c3phas, codeislight, fellows, frankudoags, gzeon, hansfriese, luxartvinsec, millersplanet, mookimgo, navinavu, oberon, paspe, pavankv, petersspetrov, pfapostol, prestoncodes, rbserver, sakshamguruji, shark, thekmj, trustindistrust, tsvetanovv, usmannk, vagrant, vanko1, xAriextz, yosuke
2.5852 USDC - $2.59
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L58-L61 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L47-L50
In both RabbitHoleReceipt.sol and RabbitHoleTickets.sol the usage of the onlyMinter modifier is essentially useless and everyone can call functions that are not intended to be called by everyone. Examples are mint in and mintBatch in the mentioned contracts. This can lead to manipulation of other parts in the protocol and would make extracting value from given quest practically impossible.
The modifier code is invalid as it does not check properly the minter address
VsCode
Rewrite the modifier like this:
modifier onlyMinter() { if(msg.sender != minterAddress) revert OnlyMinter(); _; }
#0 - c4-judge
2023-02-05T04:19:33Z
kirk-baird marked the issue as duplicate of #9
#1 - c4-judge
2023-02-14T08:39:19Z
kirk-baird marked the issue as satisfactory