RabbitHole receipt, which has its associated rewards already claimed, can still be traded and transferred to others #445
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-119
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/Quest.sol#L96-L118
Vulnerability details
Impact
After the reward token amount associated with the minted RabbitHole receipt is claimed, the holder of this receipt can still trade and transfer it to another user, who purchases this receipt while being unaware of this receipt's claim status. After the purchase, calling the following
claim
function for this receipt will revert with theAlreadyClaimed
custom error. As a result, this buyer loses the payment amount for purchasing such receipt and is unable to claim any associated rewards.https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/Quest.sol#L96-L118
Proof of Concept
Please append the following test in the
claim()
describe
block inquest-protocol\test\Erc20Quest.spec.ts
. This test will pass to demonstrate the described scenario.Tools Used
VSCode
Recommended Mitigation Steps
When calling the
claim
function, the RabbitHole receipt, which has its associated rewards claimed, can be burnt so it cannot be traded or transferred afterwards.The text was updated successfully, but these errors were encountered: