mintReceipt currently does not have any check that the questId passed as an argument corresponds to an active quest.
As the signature will be valid without a deadline, a user can call mintReceipt after the end of a quest, when there is no more funds in the Quest contract - ie when all users have already claimed their rewards and the owner has called ERC20Quest.withdrawRemainingTokens().
The user has hence minted a useless token.
As per the gas reports, the cost of mintReceipt is around $40. This is a non-negligeable amount and the function should ensure the user does not mint an obsolete token
Impact
Medium
Tools Used
Manual Review
Recommended Mitigation Steps
Add a check in mintReceipt to ensure Quest(quests[questId_].questAddress).endTime() > block.timestamp
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L219
Vulnerability details
mintReceipt
currently does not have any check that thequestId
passed as an argument corresponds to an active quest.As the signature will be valid without a deadline, a user can call
mintReceipt
after the end of a quest, when there is no more funds in theQuest
contract - ie when all users have already claimed their rewards and the owner has calledERC20Quest.withdrawRemainingTokens()
.The user has hence minted a useless token.
As per the gas reports, the cost of
mintReceipt
is around $40. This is a non-negligeable amount and the function should ensure the user does not mint an obsolete tokenImpact
Medium
Tools Used
Manual Review
Recommended Mitigation Steps
Add a check in
mintReceipt
to ensureQuest(quests[questId_].questAddress).endTime() > block.timestamp