Closed howlbot-integration[bot] closed 3 months ago
koolexcrypto marked the issue as duplicate of #18
koolexcrypto marked the issue as partial-75
contract have 1 ETH locked
Didn't explain how the contract got 1 ETH locked, the contract shouldn't have any ETH locked unless someone sent to it directly.
koolexcrypto changed the severity to 3 (High Risk)
koolexcrypto changed the severity to 2 (Med Risk)
koolexcrypto marked the issue as partial-50
koolexcrypto changed the severity to 3 (High Risk)
koolexcrypto marked the issue as duplicate of #33
koolexcrypto marked the issue as not a duplicate
koolexcrypto changed the severity to QA (Quality Assurance)
koolexcrypto marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L262 https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L491-L505
Vulnerability details
Impact
The user could receive the forever locked
ETH
as part of claimETH
.Proof of Concept
The
PrelaunchPoints
contract hasreceive()
function and the comment on it says that:Here the contract transfer the complete
ETH
Balance to the_receiver
. The Issue here is that this function will also transfer the lockedETH
to the receiver.let assume that the contract have 1 ETH locked.
_fillQuote
function to convert the assets._fillQuote
convert 1 stEth to ETH and receive 1 ETH after conversion. assume 1:1 ETH:stETH.1 Locked ETH + 1 received ETH
after conversion so theaddress(this).balance = 2 ETH
.Tools Used
Manual Review
Recommended Mitigation Steps
Extract the exact balance received after conversion and transfer it to receive . because the user is not allow to receive the Locked ETH in contract. one solution cold be as follows: return the
boughtAmount
from_fillQuote
function and send it to the receiver.Assessed type
ETH-Transfer