Closed howlbot-integration[bot] closed 3 months ago
koolexcrypto marked the issue as primary issue
By sending ETH to the contract, the attacker only allows a subsequent user to claim them as lpETH, not locking the contract neither having any negative impact for users.
koolexcrypto marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L491-L505
Vulnerability details
Impact
In
PreLaunchPoints.sol
, users can claim their lpETH after thestartClaimDate
when all ETH balance within the contract is converted to lpETH viaconvertAllETH()
. Users claim lpETH depending on whether ETH/WETH or wrapped LRTs are locked:However, due to a flaw in
_fillQuote()
revolving howboughtETHAmount
is computed, it can potentially cause a permanent locking in funds. The impact of this is borderline medium/high, given ALL potential users funds are locked but would require the attacker to potentially donate an equal/greater value worth of ETH. Since it is mentioned explicitly as an attack vector to focus on, I will leave as high severityProof of Concept
PrelaunchPoints.sol
contract. When users want to claim the tokens,_fillQuote()
is executed to initiate the swap, notice how onlyuserClaim
worth of tokens is approved for swap.boughtETHAmount
is computed. At the point of time_fillQuote()
is executed, ETH balance would be assumed to be zero. So it is presumed thatboughtETHAmount
would initially be zero, and thus would never underflow when subsequently recomputed after the swap is completedconvertAllETH()
, donate a necessary amount of ETH (For example in this case, 52e18) to essentially lock all users from claiming lpETH from previous positions locked using wrapped LRTs since now the computation ofboughtETHAmount
would underflow (51e18 - 52e18).boughtETHAmount
(which is highliy unlikely). In that case, the attacker can now simply donate a higher amount of funds to continue the attack.Note that the impact described above is the maximum possible impact, but this issue can also be performed by front-running specific claims with smaller amount of funds to cause underflow, but would possibly not block all claims.
Tools Used
Manual Analysis
Recommended Mitigation Steps
Remove the computation of
boughtETHAmount
and track it off-chain, since it is not used within inscope contract.If not, consider allowing admin to retrieve any additional ETH donated that does not stem from honest locking positions represented bytotalSupply
.Assessed type
DoS