Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There is no way to revoke a specified signature that is provided but not yet used for minting a RabbitHole receipt #663

Open
code423n4 opened this issue Jan 30, 2023 · 3 comments
Open

There is no way to revoke a specified signature that is provided but not yet used for minting a RabbitHole receipt #663

code423n4 opened this issue Jan 30, 2023 · 3 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/QuestFactory.sol#L219-L229

Vulnerability details

Impact

A user can call the following mintReceipt function using a provided signature. It is possible that the claim signer, quest owner, or RabbitHole team is legally required to disallow a user from minting a RabbitHole receipt after the signature is provided. In this case, the provided signature needs to be revoked before it is used. However, there is no way to do this currently unless the QuestFactory contract's owner changes claimSignerAddress to revert the mintReceipt function call with the AddressNotSigned custom error, which will revoke all users' signatures, including the valid and safe ones, and cause much inconveniences to all users. If keeping claimSignerAddress as is, the user with the signature that should be revoked can use such signature to mint a RabbitHole receipt and claim the associated rewards when she or he actually should be disallowed from doing so.

https://github.com/rabbitholegg/quest-protocol/blob/main/contracts/QuestFactory.sol#L219-L229

    function mintReceipt(string memory questId_, bytes32 hash_, bytes memory signature_) public {
        if (quests[questId_].numberMinted + 1 > quests[questId_].totalParticipants) revert OverMaxAllowedToMint();
        if (quests[questId_].addressMinted[msg.sender] == true) revert AddressAlreadyMinted();
        if (keccak256(abi.encodePacked(msg.sender, questId_)) != hash_) revert InvalidHash();
        if (recoverSigner(hash_, signature_) != claimSignerAddress) revert AddressNotSigned();

        quests[questId_].addressMinted[msg.sender] = true;
        quests[questId_].numberMinted++;
        emit ReceiptMinted(msg.sender, questId_);
        rabbitholeReceiptContract.mint(msg.sender, questId_);
    }

Proof of Concept

The following steps can occur for the described scenario.

  1. Alice is provided with a signature for minting a RabbitHole receipt but does not use it yet.
  2. The claim signer, quest owner, or RabbitHole team needs to revoke Alice's unused signature for a legal reason but there is no way to just revoke Alice's signature.
  3. Later, Alice uses the provided signature to mint a RabbitHole receipt. When the claim window starts, she is able to claim the rewards associated with this RabbitHole receipt while she actually should be disallowed from doing so.

Tools Used

VSCode

Recommended Mitigation Steps

A function that is only callable by a trusted party, such as the claim signer, quest owner, or RabbitHole team, can be added for recording the specified signature for a user that should be revoked. Then, the mintReceipt function can be updated to prevent the corresponding user from using the revoked signature.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jan 30, 2023
code423n4 added a commit that referenced this issue Jan 30, 2023
@code423n4
rbserver issue #663
25c6e28
@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Feb 6, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Feb 6, 2023

kirk-baird changed the severity to QA (Quality Assurance)

@c4-sponsor
Copy link

waynehoover marked the issue as sponsor acknowledged

@c4-sponsor c4-sponsor added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label Feb 7, 2023
@kirk-baird kirk-baird mentioned this issue Feb 14, 2023
Open
@c4-judge
Copy link
Contributor

kirk-baird marked the issue as grade-a

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue grade-a QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@code423n4 @c4-judge @c4-sponsor