c4-judge
commented
1 year ago kirk-baird marked the issue as duplicate of #201
Closed c4-judge closed 1 year ago
c4-judge
commented
1 year ago kirk-baird marked the issue as duplicate of #201
c4-judge
commented
1 year ago kirk-baird marked the issue as satisfactory
Judge has assessed an item in Issue #619 as 2 risk. The relevant finding follows:
[L-06] In contract Quest the function claim shouldn't only set the receipt as claimed, but to burn it as well. As this problem brings the risk, where users can sell already claimed receipts to other people The function claim is used by users to claim their ERC721 receipts for rewards. By using the function the receipt is set as claimed with a simple mapping id => bool, but it isn't burned. In the protocol docs it is clearly stated that users are free to sell or trade their receipts. Since the claimed receipts aren't burned, this bring the risk where already claimed receipts can be sold to other people. A burn function already exists in RabbitHoleReceipt, but isn't used.