Users can't claim if they mint receipts after the admin changes receiptContract. #589
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
duplicate-425
satisfactory
satisfies C4 submission criteria; eligible for awards
Comments
code423n4
added
2 (Med Risk)
|
kirk-baird marked the issue as duplicate of #425 |
c4-judge
added
the
satisfactory
|
kirk-baird marked the issue as satisfactory |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/rabbitholegg/quest-protocol/tree/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/QuestFactory.sol#L228
https://github.com/rabbitholegg/quest-protocol/tree/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Quest.sol#L99
Vulnerability details
Impact
Users can't claim if they mint receipts after the admin changes receiptContract, and they can't get rewards.
Proof of Concept
In the implementation of
QuestFactory.mintReceipt, user will get factory's receipt. But when the user claim, quest's receipt is counted. So if the user mints receipt after the admin changes receipt contract, he will get a new receipt. But he needs old receipts for claiming rewards. So he can't get reward.Tools Used
Manual Review
Recommended Mitigation Steps
Get receipt contract from quest, and mint quest's receipt instead of factory's receipt.
The text was updated successfully, but these errors were encountered: