Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ERC20 quest does not support rebasing tokens #454

Open
code423n4 opened this issue Jan 30, 2023 · 12 comments
Open

ERC20 quest does not support rebasing tokens #454

code423n4 opened this issue Jan 30, 2023 · 12 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax satisfactory satisfies C4 submission criteria; eligible for awards sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/Erc20Quest.sol#L66-L68
https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/Erc20Quest.sol#L81-L87
https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/Erc20Quest.sol#L102-L104

Vulnerability details

Impact

When a rebasing token is used as the reward token for an ERC20 quest, it is possible that this token's rebasing event, which reduces its balance owned by the Erc20Quest contract, occurs before the following Erc20Quest._transferRewards, Erc20Quest.withdrawRemainingTokens, and Erc20Quest.withdrawFee functions are called. When this occurs, calling these transfer functions can revert due to insufficient balance of this rebasing reward token owned by the Erc20Quest contract. As a result, the reward token amounts that suppose to be received by the RabbitHole receipt holders, quest owner, and/or protocol fee recipient cannot be transferred.

https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/Erc20Quest.sol#L66-L68

    function _transferRewards(uint256 amount_) internal override {
        IERC20(rewardToken).safeTransfer(msg.sender, amount_);
    }

https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/Erc20Quest.sol#L81-L87

    function withdrawRemainingTokens(address to_) public override onlyOwner {
        super.withdrawRemainingTokens(to_);

        uint unclaimedTokens = (receiptRedeemers() - redeemedTokens) * rewardAmountInWeiOrTokenId;
        uint256 nonClaimableTokens = IERC20(rewardToken).balanceOf(address(this)) - protocolFee() - unclaimedTokens;
        IERC20(rewardToken).safeTransfer(to_, nonClaimableTokens);
    }

https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/Erc20Quest.sol#L102-L104

    function withdrawFee() public onlyAdminWithdrawAfterEnd {
        IERC20(rewardToken).safeTransfer(protocolFeeRecipient, protocolFee());
    }

Proof of Concept

The following steps can occur for one of the described scenarios.

  1. An ERC20 quest is created for one total participant and zero protocol fee with a rebasing token as its reward token.
  2. Alice is provided with the signature for minting one RabbitHole receipt for this quest. Then, she mints one receipt accordingly.
  3. Before Alice claims the rewards associated with the minted receipt, the reward token's rebasing event occurs that reduces its balance owned by the Erc20Quest contract.
  4. Alice calls the claim function for this quest but this function call reverts because the rebasing reward token's balance owned by the Erc20Quest contract is now insufficient to cover her reward token amount. Hence, she is unable to receive the reward token amount associated with her RabbitHole receipt.

Tools Used

VSCode

Recommended Mitigation Steps

Like some other protocols, this protocol does not have to support rebasing tokens. A blocklist can be used to block the usage of these tokens. If blocking these tokens, please explicitly document it so users know about this.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jan 30, 2023
code423n4 added a commit that referenced this issue Jan 30, 2023
@code423n4
rbserver issue #454
57e79ed
@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Feb 6, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Feb 6, 2023

kirk-baird changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Feb 14, 2023
@c4-judge
Copy link
Contributor

This previously downgraded issue has been upgraded by kirk-baird

1 similar comment
@c4-judge
Copy link
Contributor

This previously downgraded issue has been upgraded by kirk-baird

@c4-judge
Copy link
Contributor

kirk-baird marked the issue as duplicate of #630

@c4-judge
Copy link
Contributor

kirk-baird marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Feb 14, 2023
@c4-judge c4-judge mentioned this issue Feb 14, 2023
Open
@c4-judge c4-judge reopened this Feb 14, 2023
@c4-judge c4-judge added primary issue Highest quality submission among a set of duplicates selected for report This submission will be included/highlighted in the audit report labels Feb 14, 2023
@c4-judge
Copy link
Contributor

kirk-baird marked the issue as selected for report

@c4-sponsor
Copy link

waynehoover marked the issue as sponsor disputed

@c4-sponsor c4-sponsor added the sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue label Feb 22, 2023
@waynehoover
Copy link

We have a rewardAllowlist in which we will not include rebasing tokens, our protocol does not support rebasing tokens.

@kirk-baird
Copy link

Reward allow list is a genuine solution to prevent rebasing and FoT tokens and so I'm going to downgrade this to a QA.

I'd also recommend clearly documenting the rebasing and FoT tokens will not be allowed.

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Feb 23, 2023
@c4-judge
Copy link
Contributor

kirk-baird changed the severity to QA (Quality Assurance)

@c4-judge
Copy link
Contributor

kirk-baird marked the issue as grade-a

@c4-judge
Copy link
Contributor

kirk-baird marked the issue as not selected for report

@c4-judge c4-judge removed the selected for report This submission will be included/highlighted in the audit report label Feb 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a primary issue Highest quality submission among a set of duplicates QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax satisfactory satisfies C4 submission criteria; eligible for awards sponsor disputed Sponsor cannot duplicate the issue, or otherwise disagrees this is an issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@waynehoover @kirk-baird @code423n4 @c4-judge @c4-sponsor