c4-judge
commented
1 year ago kirk-baird marked the issue as duplicate of #42
Closed c4-judge closed 1 year ago
c4-judge
commented
1 year ago kirk-baird marked the issue as duplicate of #42
c4-judge
commented
1 year ago This auto-generated issue was withdrawn by kirk-baird
c4-judge
commented
1 year ago This previously downgraded issue has been upgraded by kirk-baird
c4-judge
commented
1 year ago kirk-baird marked the issue as satisfactory
c4-judge
commented
1 year ago kirk-baird changed the severity to 2 (Med Risk)
Judge has assessed an item in Issue #599 as 3 risk. The relevant finding follows:
[L-01] Erc1155Quest's tokens can be withdrawn before every reward has been claimed Impact The owner can withdraw all the remaining tokens after the Quest endTime. Thus, users who have not claimed their reward at the end of the quest may not be able to do so because the tokens can be withdrawn by the owner beforehand.
Proof Of Concept The withdrawRemainingTokens() function withdraws all token balance whithout checking unclaimed tokens.
File: Erc1155Quest.sol
L56: IERC1155(rewardToken).safeTransferFrom( address(this), to_, rewardAmountInWeiOrTokenId, IERC1155(rewardToken).balanceOf(address(this), rewardAmountInWeiOrTokenId), '0x00' );