Back to yixxas's contests

RabbitHole Quest Protocol contest - yixxas's results

A protocol to distribute token rewards for completing on-chain tasks.

General Information

Platform: Code4rena

Start Date: 25/01/2023

Pot Size: $36,500 USDC

Total HM: 11

Participants: 173

Period: 5 days

Judge: kirk-baird

Total Solo HM: 1

Id: 208

League: ETH

RabbitHole

Findings Distribution

Researcher Performance

Rank: 168/173

Findings: 1

Award: $0.75

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryRabbitHole

Findings Information

🌟 Selected for report: adriro

Also found by: 0xRobocop, 0xmrhoodie, 0xngndev, AkshaySrivastav, ArmedGoose, Atarpara, Bauer, CodingNameKiki, ElKu, Garrett, HollaDieWaldfee, IllIllI, Iurii3, KIntern_NA, KmanOfficial, Lotus, M4TZ1P, MiniGlome, Ruhum, SovaSlava, bin2chen, bytes032, carrotsmuggler, cccz, chaduke, codeislight, cryptonue, doublesharp, evan, fs0c, glcanvas, gzeon, hansfriese, hihen, hl_, holme, horsefacts, ladboy233, lukris02, mahdikarimi, manikantanynala97, martin, mert_eren, mrpathfindr, omis, peakbolt, peanuts, prestoncodes, rbserver, rvierdiiev, sashik_eth, timongty, tnevler, trustindistrust, usmannk, wait, yixxas, zadaru13, zaskoh

Awards

0.7512 USDC - $0.75

Labels

bug
3 (High Risk)
satisfactory
upgraded by judge
duplicate-605

External Links

Link to GitHub issue

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/9ef32907788dde6c42990ee5dde8f53caeaba474/contracts/Erc20Quest.sol#L102-L104

Vulnerability details

Impact

If quest has ended and there are still users that have not claimed their reward tokens, they will not be able to do so as protocol fee recipient can withdraw the reward tokens.

Proof of Concept

We first note that in withdrawRemainingTokens(), the owner can only claim tokens that are non claimable. Tokens that are unclaimed are left in the contract for users who have not claimed after quest end time to still be claimable.

withdrawFee() only has the modifier onlyAdminWithdrawAfterEnd. It can be called by anyone after quest end time. The issue here is that this function can be called multiple times. Each withdraw, withdraws protocolFee() = (receiptRedeemers() * rewardAmountInWeiOrTokenId * questFee) / 10_000. Anyone, including the protocol fee recipient can withdraw more tokens then what they are expected to collect in fees, hence stealing from users.

Tools Used

Manual Review

Consider allowing withdrawFee() to be only callable once, and they should receive the max protocol reward.

#0 - c4-judge

2023-02-06T08:31:42Z

kirk-baird marked the issue as duplicate of #23

#1 - c4-judge

2023-02-14T08:54:38Z

kirk-baird changed the severity to 3 (High Risk)

#2 - c4-judge

2023-02-14T08:56:31Z

kirk-baird marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter