Closed howlbot-integration[bot] closed 3 months ago
Yes, but the Claimed event is not used to give more points, so it will not inflate user's points
koolexcrypto marked the issue as primary issue
@c4-sponsor
Thank you for your feedback.
Isn't claimedAmount
in Claimed
event used to give points for the user?
koolexcrypto changed the severity to 3 (High Risk)
koolexcrypto marked the issue as duplicate of #33
koolexcrypto marked the issue as partial-75
@c4-sponsor
Thank you for your feedback.
Isn't
claimedAmount
inClaimed
event used to give points for the user?
The points are calculated by using the Locked and Withdraw events and the Claimed event is used a safeguard against tricky withdrawals, that means users that get little claimedAmounts compared to Locked minus Withdrawals get penalised. If that's not the case they just get Locked minus Withdrawals.
@c4-sponsor Thank you for your feedback. Isn't
claimedAmount
inClaimed
event used to give points for the user?The points are calculated by using the Locked and Withdraw events and the Claimed event is used a safeguard against tricky withdrawals, that means users that get little claimedAmounts compared to Locked minus Withdrawals get penalised. If that's not the case they just get Locked minus Withdrawals.
Thanks for the clarification
koolexcrypto marked the issue as partial-50
koolexcrypto marked the issue as full credit
koolexcrypto marked the issue as not a duplicate
koolexcrypto changed the severity to QA (Quality Assurance)
koolexcrypto marked the issue as grade-c
Dear judge, Thank you for your work.Hope you can take a look at my comments
Isn't the attack method used and reaction issues in this report the same as Scenario 1 in #33?I just explained it from the perspective of events.I assume that it is a copy of #33.
In addition, I also mentioned that this attack can be performed infinitely many times. Users can interact with the contract, which not checks the size of the _percentage. The token can be claimed partly by multiple times, and even set _percentage to 0 for unlimited claims. This is not mentioned in #33
uint256 userClaim = userStake * _percentage / 100;
_validateData(_token, userClaim, _exchange, _data);
balances[msg.sender][_token] = userStake - userClaim;
// At this point there should not be any ETH in the contract
// Swap token to ETH
_fillQuote(IERC20(_token), userClaim, _data);
// Convert swapped ETH to lpETH (1 to 1 conversion)
claimedAmount = address(this).balance;
lpETH.deposit{value: claimedAmount}(_receiver);
}
emit Claimed(msg.sender, _token, claimedAmount);
Finally, I have a small doubt whether such a situation exists If users only make 50% claims before the points are distributed, and they still have 50% tokens locked in the contract, will they be punished during the points distribution? If they are to be punished, it seems unfair because their 50% tokens are indeed still locked in the contract.They may retrieve it later. If they won't be punished, then they can wait for the points to be distributed before engaging in malicious behavior.
Hi @shaflow01
The issue clearly focused on the events. However, since you mentioned this part
causing them to be converted to lqETH through the contract
i will consider partial credit
koolexcrypto removed the grade
This previously downgraded issue has been upgraded by koolexcrypto
This previously downgraded issue has been upgraded by koolexcrypto
koolexcrypto marked the issue as duplicate of #33
koolexcrypto marked the issue as partial-25
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L262
Vulnerability details
Impact
Users can send ETH to the contract before calling the claim function or claimAndStake, causing them to be converted to lqETH through the contract, triggering incorrect Claimed and claimAndStake events, which may allow them to earn more points.
Proof of Concept
The reasons for this issue are:
Due to the lack of visibility into the specific process of point calculation, the POC can only be reflected in the anomalies of events.
POC:
Upon inspecting the events, it was discovered that both claimed events had a claimedAmount of 5e18.
Tools Used
Manual audit,foundry
Recommended Mitigation Steps
Use the balance obtained from the swap as the input for the deposit.
Assessed type
Other