search

code-423n4 / 2023-01-rabbithole-findings

1 stars 2 forks source link

`mintReceipt` should not allow users to mint after the end of a quest #683

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L219

Vulnerability details

mintReceipt currently does not have any check that the questId passed as an argument corresponds to an active quest.

As the signature will be valid without a deadline, a user can call mintReceipt after the end of a quest, when there is no more funds in the Quest contract - ie when all users have already claimed their rewards and the owner has called ERC20Quest.withdrawRemainingTokens().

The user has hence minted a useless token.

As per the gas reports, the cost of mintReceipt is around $40. This is a non-negligeable amount and the function should ensure the user does not mint an obsolete token

Impact

Medium

Tools Used

Manual Review

Recommended Mitigation Steps

Add a check in mintReceipt to ensure Quest(quests[questId_].questAddress).endTime() > block.timestamp

c4-judge commented 1 year ago

kirk-baird marked the issue as duplicate of #22

c4-judge commented 1 year ago

kirk-baird marked the issue as satisfactory