Users may mint receipts before Quest has started, if there is none or faulty off-chain validation

[code423n4]

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L219-L229

Vulnerability details

A user mints a receipt (ERC721) in order to be able to claim their reward. As shown by the claim flowchart, the quest should be initially started before the user completes the on-chain tasks and mints a receipt. At the current moment within mintReceipt there is no modifier or check through the code that would revert if quest has not started at both the function level and at the start time.

Impact

If there is sufficient validation by the rabbithole ECSDA hash endpoint to check off-chain by calling various view functions from the Quest Contract to establish whether the Quest has truly started then it will not be an issue. However, it may be good practice to implement this check within the contract. Hence why I have labelled as potentially a medium risk.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Claim flowchart -> (https://user-images.githubusercontent.com/14314818/214354756-0af7e34d-746e-4429-8b55-8eb6d8bb1e31.png)
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L219-L229

Tools Used

Manual Code Review, Visual Studio Code

Recommended Mitigation Steps

Add modifier or if condition to revert if quest in question is has not started yet (at function level and based on start time)

[c4-judge]

kirk-baird changed the severity to QA (Quality Assurance)

[c4-sponsor]

waynehoover marked the issue as sponsor confirmed

[c4-judge]

kirk-baird marked the issue as grade-b