Closed howlbot-integration[bot] closed 4 months ago
koolexcrypto marked the issue as duplicate of #6
koolexcrypto marked the issue as duplicate of #33
koolexcrypto changed the severity to 3 (High Risk)
koolexcrypto marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L253-L263 https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L491-L505
Vulnerability details
Impact
During
claim
process,_claim
is called to claimlpETH
token to user, whose amountclaimedAmount
is calculated based on user staked amount during lock period. However, for the scenario that user stake allowed token to claimlpETH
,claimedAmount
is calculated using PrelaunchPoints's balance. So malicious users could send any amount of ETH to PrelaunchPoints and call claim in a single transaction to claim any amount oflpETH
they wants, which will make the whole lock process useless.Proof of Concept
x_amount
allowed Token to PrelaunchPoints by callinglock
convertAllETH
and time passedstartClaimDate
, Alice can claimlpETH
, whose amount should equals to the amount of ETH swapped byx_amount
staked token. Let's define the correct amount oflpETH
Alice should get isx_amt_ETH
. https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L502-L504y_amount
ETHs to PrelaunchPoints and callclaim
in a single transaction, so the actual amountlpETH
she can get isy_amount + x_amt_ETH
. Since thisy_amount
can be any number, which means that Alice could claim arbitrary amount oflpETH
she wants and thusly make lock process useless. https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L261-L263Tools Used
Manual Review
Recommended Mitigation Steps
use the swapped amount of ETH in
_fillQuote
asclaimedAmount
rather thanaddress(this).balance
Assessed type
Context