## [YO HIGH-1] Anyone can't deposit. #402
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
code423n4
added
3 (High Risk)
|
kirk-baird marked the issue as unsatisfactory: |
c4-judge
added
the
unsatisfactory
|
User's deposit the funds by first transferring them into the contract then calling |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L59-L60
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc1155Quest.sol#L34-L35
Vulnerability details
Impact
The documentation says that rewards are transferred to the quest contract when the quest is created and then transferred when the reward is claimed, but I can't find anywhere the logic for depositing to the quest contract. If the creator of the quest cannot deposit the reward, the quest will not start.
Proof of Concept
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L59-L60
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc1155Quest.sol#L34-L35
Tools Used
pen and paper
Recommended Mitigation Steps
Consider implementing a function that allows the quest creator to deposit.
The text was updated successfully, but these errors were encountered: