Closed howlbot-integration[bot] closed 4 months ago
koolexcrypto marked the issue as duplicate of #18
koolexcrypto changed the severity to 2 (Med Risk)
koolexcrypto changed the severity to 3 (High Risk)
koolexcrypto marked the issue as duplicate of #33
koolexcrypto marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L249 https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L321-L324 https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L392
Vulnerability details
Issue Description
There is an invariant that says :
Users that deposit ETH/WETH get the correct amount of lpETH on claim (1 to 1 conversion)
The protocol's invariant, which guarantees a 1:1 conversion ratio of deposited ETH to lpETH upon claim, is being violated due to the presence of thereceive()
function and theconvertAllETH
function.The
convertAllETH
function improperly calculatestotalLpETH
by assigning the contract's ETH balance directly to this variable, rather than ensuring accurate handling of ETH andlpETH
balances. This miscalculation allowstotalLpETH
to be increased through the receipt of ETH without correspondinglpETH
issuance, leading to a disparity betweentotalLpETH
andtotalSupply
. This all happens because of the simple math calculation in the_claim
function:Although users get more than they expected it broke one of the main invariants which everything comes from a lack of ETH handling There is another important note. the locking process also emits the
Locked
event for handling the points but due to this bug, it can't handle the points very well.Impact
Users are receiving more lpETH than expected due to incorrect handling of ETH within the protocol. This violation undermines the fundamental 1:1 conversion ratio between ETH deposits and lpETH issuance, compromising protocol integrity.
Proof of Concept
add this test to the
PrelaunchPointsTest.t.sol
:Tools Used
Manual Review, foundry
Recommended Mitigation Steps
There are 2 ways to mitigate this:
LockETH
function in thereceive()
function:totalSupply
to thetotalBalance
:uint256 totalBalance = totalSupply;
}
Assessed type
ETH-Transfer