search

code-423n4 / 2023-01-rabbithole-findings

1 stars 2 forks source link

User's claim can revert when attackers call `withdrawFee` several times #587

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/rabbitholegg/quest-protocol/tree/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L81-L87 https://github.com/rabbitholegg/quest-protocol/tree/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L102-L104

Vulnerability details

Impact

withdrawFee can be called several times, so attackers can use this to drain Erc20Quest's balance.

Proof of Concept

When the admin calls withdrawRemainingTokens, protocolFee + unclaimedTokens left in the Erc20Quest contract. If unclaimedTokens >= protocolFee, the attacker can call withdrawFee to drain balance, and it can prevent user's claim because of the low balance.

Tools Used

Manual Review

Recommended Mitigation Steps

withdrawFee should be called only once.

c4-judge commented 1 year ago

kirk-baird marked the issue as duplicate of #23

c4-judge commented 1 year ago

kirk-baird changed the severity to 3 (High Risk)

c4-judge commented 1 year ago

kirk-baird marked the issue as satisfactory

c4-judge commented 1 year ago

kirk-baird marked issue #377 as primary and marked this issue as a duplicate of 377

c4-judge commented 1 year ago

kirk-baird marked issue #375 as primary and marked this issue as a duplicate of 375

c4-judge commented 1 year ago

kirk-baird marked the issue as not a duplicate

c4-judge commented 1 year ago

kirk-baird marked the issue as duplicate of #605