RabbitHoleReceipt's address might be changed therefore only manual mint will be available #425
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
disagree with severity
Sponsor confirms validity, but disagrees with warden’s risk assessment (sponsor explain in comments)
downgraded by judge
Judge downgraded the risk level of this issue
M-06
primary issue
Highest quality submission among a set of duplicates
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L13
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L44
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L96-L118
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L95-L104
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L215-L229
Vulnerability details
Impact
Might be impossible to claim rewards by users. And admins must distribute tokens manually and pay fee for this. On a huge amount of participants this leads to huge amount of fees.
Proof of Concept
Let's consider
QuestFactory
. It has:RabbitHoleReceipt public rabbitholeReceiptContract;
Which responsible for mint tokens for users.
Then consider
createQuest
function. Here we passrabbitholeReceiptContract
intoQuest
.In
Quest
this field is immutable.Now lets consider next case:
rabbitholeReceiptContract
inQuestFactory
for another. To do this we call:setRabbitHoleReceiptContract
. And successfully changing address.QuestFactory
storages new address ofrabbitholeReceiptContract
, butQuest
initialized with older one. So users successfully minted their tokens, but can't exchange them for tokens because the Quest's receipt contract know nothing about minted tokens.Possible solution here is change
minterAddress
in the originalRabbitHoleReceipt
contract and manually mint tokens by admin, but it will be too expensive and the company may lost a lot of money.Tools Used
Manual audit
Recommended Mitigation Steps
In
QuestFactory
contract in the functionmintReceipt
the rabbitholeReceiptContract must be fetched from the quest directly.To
Quest
Add:Modify
mintReceipt
function inQuestFactory
like:The text was updated successfully, but these errors were encountered: