Closed code423n4 closed 1 year ago
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L90-L93
Since the setRoyaltyFee() function does not impose an upper bound for royaltyFee_ parameter, it is possible to set an extremely high value of royaltyFee_ . The royalty fee should typically have a lower value.
setRoyaltyFee()
royaltyFee_
File: contracts/RabbitHoleReceipt.sol 90-93: function setRoyaltyFee(uint256 royaltyFee_) public onlyOwner { royaltyFee = royaltyFee_; emit RoyaltyFeeSet(royaltyFee_); }
Set an upper bound for royaltyFee_ similar to that implemented for setQuestFee() function. For instance,
setQuestFee()
if (royaltyFee_ > 500) revert RoyaltyFeeTooHigh();
kirk-baird changed the severity to QA (Quality Assurance)
waynehoover marked the issue as sponsor acknowledged
kirk-baird marked the issue as grade-b
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L90-L93
Vulnerability details
Since the
setRoyaltyFee()
function does not impose an upper bound forroyaltyFee_
parameter, it is possible to set an extremely high value ofroyaltyFee_
. The royalty fee should typically have a lower value.Proof of Concept
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L90-L93
Recommended Mitigation Steps
Set an upper bound for
royaltyFee_
similar to that implemented forsetQuestFee()
function. For instance,