c4-judge
commented
1 year ago kirk-baird changed the severity to QA (Quality Assurance)
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago kirk-baird changed the severity to QA (Quality Assurance)
c4-sponsor
commented
1 year ago waynehoover marked the issue as sponsor acknowledged
c4-judge
commented
1 year ago kirk-baird marked the issue as grade-b
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/Erc1155Quest.sol#L42
Vulnerability details
Impact
Some accounts are unable to claim their ERC1155 reward, despite having completed the quest. But this is a medium severity, because it concerns only the smart contracts-based accounts (not EOAs) who did not implement the
onERC1155Receivedhook.Proof of Concept
If msg.sender of the
claimfunction ofQuestcontract is a smart contract who did not implement aonERC1155Receivedhook, then his rewards are stuck in the Quest contract.Recommended Mitigation Steps
Check if
onERC1155Receivedhook is implemented in a participant contract before whitelisting him off-chain, for example by callingsupportsInterface(ERC1155HolderID)and checking that the result is true, on the receiving contract.