Judge has assessed an item in Issue #664 as 3 risk. The relevant finding follows:
[L-1] ERC20 Quest: withdrawFee() function should only be able to be called once instead of multiple times
Issue: The withdrawFee() function can be called multiple times by admin after a quest ends, resulting in more than the protocolFee being paid. This will help to prevent potential abuse or accidental calling the function more than once.
Suggested Fix: include a boolean check e.g. feeWithdrawn = True so that the withdrawFee() function can only be called once
/// In Quest.sol
/// @notice add bool
bool public feeWithdrawn;
/// @notice Starts the Quest
/// @dev Only the owner of the Quest can call this function
function start() public virtual onlyOwner {
isPaused = false;
hasStarted = true;
feeWithdrawn = false;
}
/// In Erc20Quest.sol
/// @notice Sends the protocol fee to the protocolFeeRecipient
/// @dev Only callable when the quest is ended
function withdrawFee() public onlyAdminWithdrawAfterEnd {
if (feeWithdrawn) revert FeeAlreadyWithdrawn();
IERC20(rewardToken).safeTransfer(protocolFeeRecipient, protocolFee());
feeWithdrawn = true;
}
Judge has assessed an item in Issue #664 as 3 risk. The relevant finding follows:
[L-1] ERC20 Quest: withdrawFee() function should only be able to be called once instead of multiple times
Issue: The withdrawFee() function can be called multiple times by admin after a quest ends, resulting in more than the protocolFee being paid. This will help to prevent potential abuse or accidental calling the function more than once.
Suggested Fix: include a boolean check e.g. feeWithdrawn = True so that the withdrawFee() function can only be called once
/// In Quest.sol /// @notice add bool bool public feeWithdrawn;
/// @notice Starts the Quest /// @dev Only the owner of the Quest can call this function function start() public virtual onlyOwner { isPaused = false; hasStarted = true; feeWithdrawn = false; }
/// In Erc20Quest.sol /// @notice Sends the protocol fee to the protocolFeeRecipient /// @dev Only callable when the quest is ended function withdrawFee() public onlyAdminWithdrawAfterEnd {
if (feeWithdrawn) revert FeeAlreadyWithdrawn(); IERC20(rewardToken).safeTransfer(protocolFeeRecipient, protocolFee()); feeWithdrawn = true; }