search

code-423n4 / 2024-05-loop-findings

4 stars 4 forks source link

Missing withdrawal time check for non-ETH tokens #15

Closed howlbot-integration[bot] closed 4 months ago

howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L301-L302

Vulnerability details

Impact

The current implementation of the withdraw function allows users to bypass the intended withdrawal restrictions after loopActivation has been set and before startClaimDate. This could potentially allow users to withdraw their tokens at times when they should instead be using the claim functionality. This breaks an invariant :

* Note Can only be called after the loop address is set and before claiming lpETH, * i.e. for at least TIMELOCK. In emergency mode can be called at any time.

Proof of Concept

The absence of a check for block.timestamp >= startClaimDate for non-ETH token withdrawals in the smart contract code allows users to withdraw tokens at any time, without adhering to the intended time constraints set by loopActivation and startClaimDate.

else {
            // @audit no check on (block.timestamp >= startClaimDate) which means can withdraw at any time
            IERC20(_token).safeTransfer(msg.sender, lockedAmount);
        }

Tools Used

Manual review

Recommended Mitigation Steps

Consider adding the same check for non-ETH tokens :

if (block.timestamp >= startClaimDate) {
                revert NoLongerPossible();
            }

Assessed type

Other

c4-judge commented 4 months ago

koolexcrypto marked the issue as primary issue

c4-judge commented 4 months ago

koolexcrypto marked the issue as duplicate of #17

c4-judge commented 3 months ago

koolexcrypto marked the issue as unsatisfactory: Invalid