Erc1155Quest.withdrawRemainingTokens() will withdraw all tokens even if there are users who minted a receipt but didnβt claimed their rewards before endTime
This can happen without a malicious whitelisted account.
Manual review
Consider the minted receipt number when withdrawing remaining rewards, similar to how itβs done for Erc20Quest.
function withdrawRemainingTokens(address to_) public override onlyOwner {
super.withdrawRemainingTokens(to_);
uint256 unclaimedTokens = questFactoryContract.getNumberMinted(questId) - redeemedTokens;
uint256 amountToWithdraw = IERC1155(rewardToken).balanceOf(address(this), rewardAmountInWeiOrTokenId) - redeemedTokens;
IERC1155(rewardToken).safeTransferFrom(
address(this),
to_,
rewardAmountInWeiOrTokenId,
IERC1155(rewardToken).balanceOf(address(this), rewardAmountInWeiOrTokenId),
'0x00'
);
}
The text was updated successfully, but these errors were encountered:
All reactions