Closed howlbot-integration[bot] closed 4 months ago
koolexcrypto marked the issue as duplicate of #18
koolexcrypto changed the severity to 3 (High Risk)
koolexcrypto changed the severity to 2 (Med Risk)
koolexcrypto marked the issue as partial-50
koolexcrypto changed the severity to 3 (High Risk)
koolexcrypto marked the issue as duplicate of #33
koolexcrypto marked the issue as partial-25
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L249 https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L262
Vulnerability details
Impact
When
claimedAmount
is calculated in the(_token == ETH)
branch, the amount oflpETH
received may be greater than the stakedETH
in case there was an accidental direct deposit ofETH
to the contract. The user making this transfer ofETH
rightfully losses it without a way to recover, the issue is that theETH
can be considered to be lost as much as it would be when sent to a dummy address, as there is no way to recover it from the contract - you can only recover ERC20s or use thewithdraw()
function as a user. The excess balance causestotalLpETH
to be greater thantotalSupply
because of the following lines inconvertAllETH
:Therefore, it increases the
claimedAmount
for each user. This is causing the conversion rate betweenETH
andlpETH
to not equal 1. Moreover, considering the(_token != ETH)
branch, a user can_fillQuote
with amount equal touserClaim
, however theclaimedAmount
can be increased by simply sendingETH
directly to the contract right before the call toclaim()
orclaimAndStake()
functions. Again, this makes the conversion to change from 1:1, becauseETH
sent directly to the contract is NOT accessible by anyone including the owner.Both of these situations make the
lpETH
inflationary as users essentially get morelpETH
for the same amount of real stake if they do what's explained above for both_claim()
function token branches.Proof of Concept
To run a PoC proving how the received
lpETH
is indeed increased when the user sendsETH
directly to the contract right before callingclaim()
change the code inPrelaunchPoints0x.test.ts
to the code in this gist and run the test withyarn hardhat test ./test/PrelaunchPoints0x.test.ts
.Tools Used
Manual Review, Hardhat
Recommended Mitigation Steps
To mitigate this issue consider changing the approach from push to pull, meaning that in
convertAllETH
the owner does not deposit allETH
to thelpETH
contract. Thanks to this,totalSupply
andtotalLpETH
variables can be removed and the user gets the appropriate amount oflpETH
based on their share of the contract's balance.Assessed type
Token-Transfer