Upgraded Q -> 2 from #619 [1675724616184] #694
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
duplicate-119
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
c4-judge
added
the
2 (Med Risk)
|
kirk-baird marked the issue as duplicate of #201 |
|
kirk-baird marked the issue as satisfactory |
c4-judge
added
the
satisfactory
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Judge has assessed an item in Issue #619 as 2 risk. The relevant finding follows:
[L-06] In contract Quest the function claim shouldn't only set the receipt as claimed, but to burn it as well. As this problem brings the risk, where users can sell already claimed receipts to other people
The function claim is used by users to claim their ERC721 receipts for rewards. By using the function the receipt is set as claimed with a simple mapping id => bool, but it isn't burned. In the protocol docs it is clearly stated that users are free to sell or trade their receipts. Since the claimed receipts aren't burned, this bring the risk where already claimed receipts can be sold to other people. A burn function already exists in RabbitHoleReceipt, but isn't used.
The text was updated successfully, but these errors were encountered: