[H-1] `PrelaunchPoints::lock, lockFor` allows a users to lock s small amount of LRT token and then force ether into the contract claiming as much lpETH as they want, removing the risk of locking a lot of tokens and braking the 2nd invariant #26
In the Prelaunchpoint the functions lock and lockFor allow users to lock LRTs or WETH into the contract. After the owner calls setLoopAddresses and converts all the ETH, users are able to call the claim and claimAndStake functions. A user can force ETH into the smart contract and right after call the claim function with the LRT Token with a small percentage. Because claimedAmount is set to address(this).balance this will also get the forced ETH, allowing users to remove the risk of locking a large amount and rather lock a small amount and then force ether to get the desired lpETH.
Impact:
Allows users to remove the risk of locking a large amount of tokens.
Allows users to mint how much ever lpETH they want, as long as they have the capital and a small locked amount of LRT Token.
This breaks the 2nd invariant - Deposits are active up to the lpETH contract and lpETHVault contract are set
Proof of Concept:
The user locks a desired amount of an LRT Token
The owner sets the loop addresses and the 7 days to withdraw pass
The owner converts all the ETH, which allows the user to claim, claim and stake
The user forces ETH into the contract
The user calls the claim function and gets the lpETH for the forced ETH
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L262
Vulnerability details
Description:
In the
Prelaunchpoint
the functionslock
andlockFor
allow users to lock LRTs or WETH into the contract. After the owner callssetLoopAddresses
and converts all the ETH, users are able to call theclaim
andclaimAndStake
functions. A user can force ETH into the smart contract and right after call theclaim
function with the LRT Token with a small percentage. BecauseclaimedAmount
is set toaddress(this).balance
this will also get the forced ETH, allowing users to remove the risk of locking a large amount and rather lock a small amount and then force ether to get the desired lpETH.Impact:
Deposits are active up to the lpETH contract and lpETHVault contract are set
Proof of Concept:
claim
function and gets the lpETH for the forced ETHPaste this into
PrelaunchPoints.t.sol
Tools Used
Manual Review
Recommended Mitigation:
receive
function is called revertAssessed type
ETH-Transfer