Erc20Quest.withdrawRemainingTokens after withdrawFee can revert
#585
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
downgraded by judge
Judge downgraded the risk level of this issue
duplicate-122
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
code423n4
added
2 (Med Risk)
|
kirk-baird marked the issue as duplicate of #61 |
|
kirk-baird marked the issue as satisfactory |
c4-judge
added
satisfactory
|
kirk-baird changed the severity to 3 (High Risk) |
c4-judge
added
2 (Med Risk)
|
kirk-baird changed the severity to 2 (Med Risk) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/rabbitholegg/quest-protocol/tree/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L81-L87
https://github.com/rabbitholegg/quest-protocol/tree/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc20Quest.sol#L102-L104
Vulnerability details
Impact
An attacker can run
Erc20Quest.withdrawFeebeforewithdrawRemainingTokens, and as a result,withdrawRemainingTokenscan revert.Proof of Concept
In
Erc20Quest.withdrawRemainingTokens, the admin leftprotocolFee() + unclaimedTokensin the contract. It means that it assumeswithdrawFee()will be called afterwithdrawRemainingTokens().But in fact, anyone can call
withdrawFeeafter the quest's end time. So if an attacker callswithdrawFeebefore the admin callswithdrawRemainingTokens,withdrawRemainingTokenswill revert.Tools Used
Manual Review
Recommended Mitigation Steps
withdrawFeeshould be called only once, and in the implementation ofwithdrawRemainingTokens, ifwithdrawFeeis called before, no need to leaveprotocolFee().The text was updated successfully, but these errors were encountered: