Closed howlbot-integration[bot] closed 3 months ago
koolexcrypto marked the issue as duplicate of #18
koolexcrypto changed the severity to 3 (High Risk)
koolexcrypto changed the severity to 2 (Med Risk)
koolexcrypto marked the issue as partial-50
koolexcrypto changed the severity to 3 (High Risk)
koolexcrypto marked the issue as duplicate of #33
koolexcrypto marked the issue as not a duplicate
koolexcrypto changed the severity to QA (Quality Assurance)
koolexcrypto marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L392 https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L259-L263 https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L503-L504 https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L321-L324
Vulnerability details
Impact
If a user mistakenly sends ETH to the contract before
convertAllETH
has been called by the owner, every user could claim more lpETH than expected. If he mistakenly sends ETH to the contract afterconvertAllETH
has been called by the owner, the first user to claim after him could get more lpETH.Proof of Concept
The contract is able to receive ETH.
However, if a user mistakenly sends ETH to the contract, this would affect the claiming process.
Consider the following 2 cases:
If a user mistakenly sends ETH to the contract before
convertAllETH
has been called by the owner, every user could claim more lpETH than expected.When
convertAllETH
is being called by the owner, allETH
in the contract will be converted tolpETH
. When a user claims his locked ETH afterwards, the calculationclaimedAmount = userStake.mulDiv(totalLpETH, totalSupply)
will give him more lpETH than actual amount.If he mistakenly sends ETH to the contract after
convertAllETH
has been called by the owner, the first user to claim after him could get more lpETH.When
_claim
is later being called,lpETH.deposit{value: claimedAmount}(_receiver)
has been called to convert all ETH in the contract to lpETH. Thus the first user to claim afterwards could get more lpETH than actual amount.Tools Used
Manual, VSCode
Recommended Mitigation Steps
Three steps:
totalSupply
is used to record ETH balance, it is better to usetotalSupply
to convert tolpETH
.boughtETHAmount
obtained in_fillQuote
to convert to ETH.address(this).balance-totalSupply
beforeclaiming
andaddress(this).balance
after claiming.Assessed type
ETH-Transfer