Closed howlbot-integration[bot] closed 4 months ago
koolexcrypto marked the issue as duplicate of #6
koolexcrypto marked the issue as duplicate of #33
koolexcrypto marked the issue as satisfactory
koolexcrypto changed the severity to 3 (High Risk)
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L252-L264
Vulnerability details
Impact
A user can still deposit more and end up minting more
lpETH
even at a time when it is no longer possible to be eligible to do so by funneling in ether deposits on every smalllpETH
claim which resolves to mint morelpETH
than expected by the protocol without the supposed full amount being locked inETH
,WETH
orLRTs
in the first place.This breaches one of the protocol's invariants:
Proof of Concept
LRT
or less. Let's assume theLRT
is Renzo ETH in this caseezETH
PrelaunchPoints.sol#L143-L148
_processLock()
function below, that there is a modifier to stop locking when the loop is activatedonlyBeforeDate()
PrelaunchPoints.sol#L172-L175
PrelaunchPoints.sol#L211-L216
She calls
claim()
Which executes
_claim()
PrelaunchPoints.sol#L240-L266
_claim
above, Since at this point in time, when claiming oflpETH
has been activated and set, what she should only be able to do normally, is to claim aka swap her 1e18ezETH
balance to 1e18lpETH
. But what she does instead is to call theclaim
function, pass in x% to only convert x% of herezETH
intolpETH
which, if she passed in 1% should resolve to having1e16
lpETH
claimed but then she first sends 100 ethers into thePrelaunchPoints
contract which then allows her to now have 100lpETH
claimed + the1e16
resolving from the 1% she specified. This effectively breaches the protocol assumption that Alice will only ever be able to mint 1lpETH
when in fact she has just minted 100lpETH
plus1e16
lpETH
plus the .99ezETH
she is yet to convert/claim and will leverage to mint morelpETH
to continue exploiting this loophole.Below is a coded POC for this exploit. Please read the test and paste it into the
PrelaunchPoints.t.sol
test contract. Run it withforge test --mt testBypassLockingPOC
. You can append-vvvvv
flag for execution trace verbosity.Test result:
Tools Used
Manual review
Recommended Mitigation Steps
Use this modification of the
else
block in the_claim()
function instead:With this change, even if Alice tries to send ethers into the contract directly, it will be at a lost cause as she effectively donates it without exploiting the loophole.
Assessed type
Timing