A user can call the following mintReceipt function using a provided signature. It is possible that the claim signer, quest owner, or RabbitHole team is legally required to disallow a user from minting a RabbitHole receipt after the signature is provided. In this case, the provided signature needs to be revoked before it is used. However, there is no way to do this currently unless the QuestFactory contract's owner changes claimSignerAddress to revert the mintReceipt function call with the AddressNotSigned custom error, which will revoke all users' signatures, including the valid and safe ones, and cause much inconveniences to all users. If keeping claimSignerAddress as is, the user with the signature that should be revoked can use such signature to mint a RabbitHole receipt and claim the associated rewards when she or he actually should be disallowed from doing so.
function mintReceipt(string memory questId_, bytes32 hash_, bytes memory signature_) public {
if (quests[questId_].numberMinted + 1 > quests[questId_].totalParticipants) revert OverMaxAllowedToMint();
if (quests[questId_].addressMinted[msg.sender] == true) revert AddressAlreadyMinted();
if (keccak256(abi.encodePacked(msg.sender, questId_)) != hash_) revert InvalidHash();
if (recoverSigner(hash_, signature_) != claimSignerAddress) revert AddressNotSigned();
quests[questId_].addressMinted[msg.sender] = true;
quests[questId_].numberMinted++;
emit ReceiptMinted(msg.sender, questId_);
rabbitholeReceiptContract.mint(msg.sender, questId_);
}
Proof of Concept
The following steps can occur for the described scenario.
Alice is provided with a signature for minting a RabbitHole receipt but does not use it yet.
The claim signer, quest owner, or RabbitHole team needs to revoke Alice's unused signature for a legal reason but there is no way to just revoke Alice's signature.
Later, Alice uses the provided signature to mint a RabbitHole receipt. When the claim window starts, she is able to claim the rewards associated with this RabbitHole receipt while she actually should be disallowed from doing so.
Tools Used
VSCode
Recommended Mitigation Steps
A function that is only callable by a trusted party, such as the claim signer, quest owner, or RabbitHole team, can be added for recording the specified signature for a user that should be revoked. Then, the mintReceipt function can be updated to prevent the corresponding user from using the revoked signature.
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/QuestFactory.sol#L219-L229
Vulnerability details
Impact
A user can call the following
mintReceipt
function using a provided signature. It is possible that the claim signer, quest owner, or RabbitHole team is legally required to disallow a user from minting a RabbitHole receipt after the signature is provided. In this case, the provided signature needs to be revoked before it is used. However, there is no way to do this currently unless theQuestFactory
contract's owner changesclaimSignerAddress
to revert themintReceipt
function call with theAddressNotSigned
custom error, which will revoke all users' signatures, including the valid and safe ones, and cause much inconveniences to all users. If keepingclaimSignerAddress
as is, the user with the signature that should be revoked can use such signature to mint a RabbitHole receipt and claim the associated rewards when she or he actually should be disallowed from doing so.https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/QuestFactory.sol#L219-L229
Proof of Concept
The following steps can occur for the described scenario.
Tools Used
VSCode
Recommended Mitigation Steps
A function that is only callable by a trusted party, such as the claim signer, quest owner, or RabbitHole team, can be added for recording the specified signature for a user that should be revoked. Then, the
mintReceipt
function can be updated to prevent the corresponding user from using the revoked signature.