Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Owner can stop user from claiming rewards in the Erc1155Quest #655

Closed
code423n4 opened this issue Jan 30, 2023 · 5 comments
Closed

Owner can stop user from claiming rewards in the Erc1155Quest #655

code423n4 opened this issue Jan 30, 2023 · 5 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-528 satisfactory satisfies C4 submission criteria; eligible for awards

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/Erc1155Quest.sol#L54-L63

Vulnerability details

Impact

After completing their tasks users can mint a new receipt token which they can later claim reward with it using the claim function, this function can not be called when the Quest contract is paused so the users can't claim when quest contract is paused.

After the end of the quest the owner is able to withdraw back the remaining tokens, in the case of Erc20Quest the owner is able to withdraw only the reward tokens for the non-participants and the participants rewards are kept in the contract until they get claimed but for the Erc1155Quest the owner is able to withdraw all tokens deposited when starting the quest regardless of the already minted receipt.

Thus for an Erc1155Quest type quest the scenario where users can not claim their reward is the following :

  • the owner start the Erc1155Quest by calling the start() function and then he set the contract to paused.
  • The users can complete the tasks and mint a receipt token by calling the mintReceipt function.
  • users can not claim reward for their receipt token because the Quest contract is paused.
  • the owner wait until the end of the quest and then calls the withdrawRemainingTokens function to get back all the tokens previously deposited at the start.
  • in the end the users did complete their tasks but they will never receive the reward for it.

Proof of Concept

This issue occurs because withdrawRemainingTokens function of the Erc1155Quest contract allow the owner to withdraw all the tokens deposited at the start :

File: Erc1155Quest.sol Line 54-63

function withdrawRemainingTokens(address to_) public override onlyOwner {
    super.withdrawRemainingTokens(to_);
    IERC1155(rewardToken).safeTransferFrom(
        address(this),
        to_,
        rewardAmountInWeiOrTokenId,
        IERC1155(rewardToken).balanceOf(address(this), rewardAmountInWeiOrTokenId),
        '0x00'
    );
}

On the contrary to the withdrawRemainingTokens function of the Erc20Quest which account for the already minted tokens by calling questFactoryContract.getNumberMinted(questId) and thus allow the owner to only withdraw reward correspanding to non-minted tokens, the withdrawRemainingTokens function of the Erc1155Quest allow the owner to withdraw all the reward tokens regardless if they correspand to a minted receipt.

This will allow the owner to follow the scenario mentioned before to stop users for claiming their rewards.

Tools Used

Manual review

Recommended Mitigation Steps

To avoid this issue i recommend to modify the withdrawRemainingTokens function of the Erc1155Quest and make work similarly to the one in Erc20Quest.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jan 30, 2023
code423n4 added a commit that referenced this issue Jan 30, 2023
@code423n4
Aymen0909 issue #655
4270692
@c4-judge c4-judge closed this as completed Feb 6, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Feb 6, 2023

kirk-baird marked the issue as duplicate of #42

@c4-judge c4-judge added downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax and removed 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value labels Feb 10, 2023
@c4-judge
Copy link
Contributor

kirk-baird changed the severity to QA (Quality Assurance)

@c4-judge c4-judge reopened this Feb 10, 2023
@c4-judge
Copy link
Contributor

This previously downgraded issue has been upgraded by kirk-baird

@c4-judge c4-judge added 3 (High Risk) Assets can be stolen/lost/compromised directly and removed downgraded by judge Judge downgraded the risk level of this issue QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax labels Feb 10, 2023
@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Feb 14, 2023
@c4-judge
Copy link
Contributor

kirk-baird marked the issue as satisfactory

@c4-judge c4-judge added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Feb 23, 2023
@c4-judge
Copy link
Contributor

kirk-baird changed the severity to 2 (Med Risk)

@c4-judge c4-judge added the downgraded by judge Judge downgraded the risk level of this issue label Feb 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-528 satisfactory satisfies C4 submission criteria; eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@code423n4 @c4-judge