search

code-423n4 / 2023-01-rabbithole-findings

1 stars 2 forks source link

mintReceipt could mint receipt after endtime. #677

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L81-L87

Vulnerability details

Impact

mintReceipt could mint receipt after endtime. If owner execute withdrawRemainingTokens user’s receipt that mint after endtime can’t claim.

Proof of Concept

function withdrawRemainingTokens(address to_) public override onlyOwner {
        super.withdrawRemainingTokens(to_);

        uint unclaimedTokens = (receiptRedeemers() - redeemedTokens) * rewardAmountInWeiOrTokenId;
        uint256 nonClaimableTokens = IERC20(rewardToken).balanceOf(address(this)) - protocolFee() - unclaimedTokens;
        IERC20(rewardToken).safeTransfer(to_, nonClaimableTokens);
    }

withdrawRemainingTokens withdraw all of fund in Quest except unredeemedToken. unredeemedToken doesn’t contain unminted receipt so when mint receipt after withdrawRemainingTokens are unclaimable.

Tools Used

Sublime Text

Recommended Mitigation Steps

prevent receipt after endtime or withdrawRemainingTokens.

c4-judge commented 1 year ago

kirk-baird marked the issue as duplicate of #22

c4-judge commented 1 year ago

kirk-baird changed the severity to 2 (Med Risk)

c4-judge commented 1 year ago

kirk-baird marked the issue as satisfactory