The modifiers holding the name "onlyMinter", defined in the "contracts/RabbitHoleReceipt.sol" and "contracts/RabbitHoleTickets.sol" files do not implement an if or require checks. The lack of checking means that the modifiers do nothing about regulating the use of the "mint" function in the "contracts/RabbitHoleReceipt.sol" file and the "mint", and "mintBatch" functions in the "contracts/RabbitHoleTickets.sol" file respectively. No matter the if the user calling one of the functions has the required privileges or not they will always be allowed to execute the transaction.
Implement a require or if check.
The code in the following examples assumes that the modifiers' functionality is supposed to check whether the user is the minter address.
Example with require: require(msg.sender == minterAddress, "Some error message here:");
Example with if: if (msg.sender == minterAddress) revert CustomError();
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L58-L61 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L47-L50 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L98 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L83 https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L92-L97
Vulnerability details
Impact
The modifiers holding the name "onlyMinter", defined in the "contracts/RabbitHoleReceipt.sol" and "contracts/RabbitHoleTickets.sol" files do not implement an if or require checks. The lack of checking means that the modifiers do nothing about regulating the use of the "mint" function in the "contracts/RabbitHoleReceipt.sol" file and the "mint", and "mintBatch" functions in the "contracts/RabbitHoleTickets.sol" file respectively. No matter the if the user calling one of the functions has the required privileges or not they will always be allowed to execute the transaction.
Proof of Concept
The definition of the modifier in the "contracts/RabbitHoleReceipt.sol" file: https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L58-L61
The definition of the modifier in the "contracts/RabbitHoleTickets.sol" file: https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L47-L50
Usage of the modifier in the "contracts/RabbitHoleReceipt.sol" file: https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L98
Usage of the modifier in the "contracts/RabbitHoleTickets.sol" file: https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L83
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L92-L97
Recommended Mitigation Steps
Implement a
require
orif
check. The code in the following examples assumes that the modifiers' functionality is supposed to check whether the user is the minter address. Example with require:require(msg.sender == minterAddress, "Some error message here:");
Example with if:if (msg.sender == minterAddress) revert CustomError();