c4-judge
commented
1 year ago kirk-baird marked the issue as duplicate of #23
Closed c4-judge closed 1 year ago
c4-judge
commented
1 year ago kirk-baird marked the issue as duplicate of #23
c4-judge
commented
1 year ago kirk-baird marked the issue as satisfactory
Judge has assessed an item in Issue #664 as 3 risk. The relevant finding follows:
[L-1] ERC20 Quest: withdrawFee() function should only be able to be called once instead of multiple times
Issue: The withdrawFee() function can be called multiple times by admin after a quest ends, resulting in more than the protocolFee being paid. This will help to prevent potential abuse or accidental calling the function more than once.
Suggested Fix: include a boolean check e.g. feeWithdrawn = True so that the withdrawFee() function can only be called once
/// In Quest.sol /// @notice add bool bool public feeWithdrawn;
/// @notice Starts the Quest /// @dev Only the owner of the Quest can call this function function start() public virtual onlyOwner { isPaused = false; hasStarted = true; feeWithdrawn = false; }
/// In Erc20Quest.sol /// @notice Sends the protocol fee to the protocolFeeRecipient /// @dev Only callable when the quest is ended function withdrawFee() public onlyAdminWithdrawAfterEnd {
if (feeWithdrawn) revert FeeAlreadyWithdrawn(); IERC20(rewardToken).safeTransfer(protocolFeeRecipient, protocolFee()); feeWithdrawn = true; }