c4-judge
commented
1 year ago kirk-baird changed the severity to QA (Quality Assurance)
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago kirk-baird changed the severity to QA (Quality Assurance)
c4-sponsor
commented
1 year ago waynehoover marked the issue as sponsor acknowledged
c4-judge
commented
1 year ago kirk-baird marked the issue as grade-c
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L83-L86 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L98-L104 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L228
Vulnerability details
Impact
The mint() function in RabbitHoleReceipt contract mints a Quest receipt which can be claimable. In the mintReceipt() function in QuestFactory contract, it is expected that the QuestFactory contract is already set as Minter on the receipt contract as defined in the dev comments.
However, there is a possibility where the owner of RabbitHoleReceipt contract can set
minterAddressaddress by calling RabbitHoleReceipt .setMinterAddress() to a different address other than the QuestFactory contract, thus making QuestFactory.mintReceipt() redundant by revert in such scenario and preventing users from being able to mint receipts for a Quest and claiming rewardsTools Used
Manual review
Recommended Mitigation Steps
Some check to ensure the new
minterAddressset in RabbitHoleReceipt contract is the current QuestFactory contract.