Closed howlbot-integration[bot] closed 4 months ago
koolexcrypto marked the issue as duplicate of #18
koolexcrypto changed the severity to 2 (Med Risk)
koolexcrypto marked the issue as partial-50
koolexcrypto changed the severity to 3 (High Risk)
koolexcrypto marked the issue as duplicate of #33
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L259-L262
Vulnerability details
Impact
When users claim lpETH and the specified _token is not ETH, if there is ETH in the
PrelaunchPoints
contract transferred by mistake by others, the contract will also convert this part of ETH into lpETH for the user. This is because the amount of lpETH calculated for the user's claim in the_claim
function isaddress(this).balance
, rather than the actual amount of ETH obtained through exchangeProxy with the _token in the_fillQuote
function.Although the comment states, "At this point there should not be any ETH in the contract," this is an ideal situation. In reality, it is highly possible that someone could mistakenly transfer ETH to the
PrelaunchPoints
contract.Proof of Concept
lock
function, locking an amount of_token
into thePrelaunchPoints
contract.convertAllETH
function to convert the ETH in thePrelaunchPoints
contract into lpETH and updates thestartClaimDate
variable, allowing users who have locked assets in the contract to start claiming lpETH.PrelaunchPoints
contract.claim
function to claim lpETH. Theclaim
function calls the_claim
function for the actual operation. In the_claim
function,_fillQuote
is invoked, which converts User A's _token into ETH held within thePrelaunchPoints
contract.claimedAmount
into lpETH for User A’s specified_receiver
. Note that theclaimedAmount
here isaddress(this).balance
, which includes User B's 10 ETH, not just theboughtETHAmount
calculated in the final_fillQuote
function.Tools Used
None
Recommended Mitigation Steps
_fillQuote
function return the final calculatedboughtETHAmount
to the_claim
function. In the_claim
function, convert the amount of ETH denoted asboughtETHAmount
into lpETH for the_receiver
.receive
function to prevent users from mistakenly transferring ETH into the contract.Assessed type
Other