c4-judge
commented
1 year ago kirk-baird marked the issue as duplicate of #23
Closed c4-judge closed 1 year ago
c4-judge
commented
1 year ago kirk-baird marked the issue as duplicate of #23
c4-judge
commented
1 year ago kirk-baird marked the issue as satisfactory
Judge has assessed an item in Issue #154 as 3 risk. The relevant finding follows:
Erc20Quest.withdrawFee() can be called against a quest more than once function withdrawFee() public onlyAdminWithdrawAfterEnd { IERC20(rewardToken).safeTransfer(protocolFeeRecipient, protocolFee()); } The withdrawFee() function does not update the state of the Quest in such a way as to track claims against a set of currently-redeemed receipts. As such, even if no new users call claim(), protocol fees can be withdrawn more than once.
In the event of future decentralization of the protocol, unscrupulous projects could use this to reclaim tokens and deny valid receipts.
This multiple-claim issue factors into the Medium finding concerning denial of valid receipts due to griefing by 3rd parties.