Lines of code
<https://github.com/rabbitholegg/quest-protocol/blob/8c4c1f71221570b14a0479c216583342bd652d8d/contracts/RabbitHoleTickets.sol#L47-L50&gt;

Vulnerability details

Impact

In the RabbitHoleReceipt and RabbitHoleTickets contracts the minterAddress should be the only account allowed to mint a new token, but due to an error in the onlyMinter modifier all the users are able to mint new tokens without permission, the impact of this issue is that any user can mint a new token and use it to claim a reward without even completing the quest or having a signed hash message.

Proof of Concept

This issue occurs because of an error in the onlyMinter modifier in both contracts :

File: RabbitHoleReceipt.sol Line 58-61

File: RabbitHoleTickets.sol Line 47-50

modifier onlyMinter() {
    msg.sender == minterAddress;
    _;
}

As you can see from the code above the modifier does not contain a require/revert statement which will revert in case non minter tries to call the function, but instead the modifier just compare the value of msg.sender and the value of minterAddress and then continues to executing the function regardless of the result of the comparison, and thus any address that call the mint functions and mint new tokens without permission.

Tools Used

Manual review

Recommended Mitigation Steps

Add a require/revert in the onlyMinter modifier for both contracts as follows :

modifier onlyMinter() {
    require(msg.sender == minterAddress, "only minter");
    _;
}

The text was updated successfully, but these errors were encountered:

All reactions