c4-judge
commented
1 year ago kirk-baird marked the issue as duplicate of #51
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago kirk-baird marked the issue as duplicate of #51
c4-judge
commented
1 year ago kirk-baird marked the issue as not a duplicate
c4-judge
commented
1 year ago kirk-baird changed the severity to QA (Quality Assurance)
c4-sponsor
commented
1 year ago waynehoover marked the issue as sponsor confirmed
c4-judge
commented
1 year ago kirk-baird marked the issue as grade-b
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L106
Vulnerability details
Impact
Arbitrary reward tokens can seriously damage the projects reputation
Proof of Concept
During the function
createQuestit allows any address with theCREATE_QUEST_ROLErole to create a new quest with a reward token. While there is a check in case of a ERC20 quest which ensures that the reward token is allowed:https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L73
This check is missing for ERC1155 quests.
While this is not only a clear logical issue, this could furthermore damage the reputation of the project if quests are added with tokens that are not meant to be reward tokens, or useless tokens.
Tools Used
VSCode
Recommended Mitigation Steps
Consider adding the aforementioned check at the beginning of the function to ensure its checked for both, ERC20 and ERC1155 cases.