Upgraded Q -> 3 from #664 [1675726078144]

Judge has assessed an item in Issue 664 as 3 risk. The relevant finding follows: L-1 ERC20 Quest: withdrawFee function should only be able to be called once instead of multiple times Issue: The withdrawFee function can be called multiple times by admin after a quest ends, resulting in more than t...

User's claim can revert when attackers call withdrawFee several times

Lines of code Vulnerability details Impact withdrawFee can be called several times, so attackers can use this to drain Erc20Quest's balance. Proof of Concept When the admin calls withdrawRemainingTokens, protocolFee + unclaimedTokens left in the Erc20Quest contract. If unclaimedTokens =...

withdrawFee() can be called multiple times by any user when quest has ended making it possible to drain contract and leave users unable to claim rewards

Lines of code Vulnerability details Impact The withdrawFee function in the Erc20Quest contract can be called multiple times. The modifier onlyAdminWithdrawAfterEnd is applied to the function which only makes it possible to call it after the end time of a quest. It should be noted that any user is...