Lines of code

Vulnerability details

Impact

Erc1155Quest.withdrawRemainingTokens() will withdraw all tokens even if there are users who minted a receipt but didn’t claimed their rewards before endTime

Proof of Concept

• Whitelisted account creates a new ERC1155 quest. Whitelisted account becames the quest owner.
• Owner transfer rewards and execute start function
• Users complete tasks and mints receipts but don’t claim them.
• After quest has ended (block.timestamp > endTime), owner calls Erc1155Quest.withdrawRemainingTokens, withdrawing all rewards (rewards who are entitled to receipts owners)
• users can’t claim the receipt rewards.

This can happen without a malicious whitelisted account.

Tools Used

Manual review

Recommended Mitigation Steps

Consider the minted receipt number when withdrawing remaining rewards, similar to how it’s done for Erc20Quest.

    function withdrawRemainingTokens(address to_) public override onlyOwner {
        super.withdrawRemainingTokens(to_);
        uint256 unclaimedTokens = questFactoryContract.getNumberMinted(questId) - redeemedTokens;
        uint256 amountToWithdraw =  IERC1155(rewardToken).balanceOf(address(this), rewardAmountInWeiOrTokenId) - redeemedTokens;
        IERC1155(rewardToken).safeTransferFrom(
            address(this),
            to_,
            rewardAmountInWeiOrTokenId,
            IERC1155(rewardToken).balanceOf(address(this), rewardAmountInWeiOrTokenId),
            '0x00'
        );
    }  

The text was updated successfully, but these errors were encountered:

All reactions