Minting receipts after withdrawRemainingTokens function has been called, can make that some participants wont be able to claim their receipts or protocol claim its fee.

[code423n4]

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L219
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleReceipt.sol#L98
https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L81

Vulnerability details

Impact

The purpose of withdrawRemainingTokens is to withdraw all the tokens that wont be claimed by participants, because endTime has passed and some receipts were not minted. Leaving on the contract the exact amount for minted but not claimed receipts and for the protocol fee given the amount of minted receipts.

So the function has an assumption that receipts cannot be minted after endTime but following the control flow, there is no check that ensures this, nor a deadline for the signatures to be valid.

If someone mints a receipt after the owner called withdrawRemainingTokens then the contract wont have enough tokens to pay all the mintedd receipts nor the protocol fee.

Proof of Concept

Maybe the Front End wont stop giving signatures after endTime but the user can request a signature before endTime, and then cancelling the transaction but copying the valid signature to be used later.

Tools Used

Manual

Recommended Mitigation Steps

Make signatures have a deadline to be used or not allow minting after endTime

[c4-judge]

kirk-baird marked the issue as duplicate of #42

[c4-judge]

kirk-baird marked the issue as not a duplicate

[c4-judge]

kirk-baird marked the issue as duplicate of #22

[c4-judge]

kirk-baird marked the issue as satisfactory