Closed howlbot-integration[bot] closed 3 months ago
We assumed the data we send is correct, so this is very unlikely. The fix can be applied for QA.
koolexcrypto marked the issue as primary issue
koolexcrypto changed the severity to QA (Quality Assurance)
koolexcrypto marked the issue as grade-c
@koolexcrypto High impact + Low likelihood should be rated a medium finding instead of a low. Please reconsider it. Thanks.
@mystery0x isn't this being taken care of by the 0x UniswapV3 feature recipient normalization?
Hi @mystery0x
User input error is considered as QA or invalid
Findings that require the user to be careless or enter the wrong information into a contract call are QA or Invalid
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L262 https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L439-L441
Vulnerability details
Impact
In the
_claim
function of the PrelaunchPoints contract, if the swap operation within the_claim
function sends ETH to the zero address (address(0)
) instead of the contract address (address(this)
), the user's ETH converted via the wrapped LRT is irretrievably lost. This results in a direct financial loss for the user attempting the claim, and the intendedclaimedAmount
calculation fails because the contract does not receive the ETH. Furthermore, this error undermines the reliability of the contract and can significantly impact user trust, as the contract does not perform as expected, leading to failed transactions and potential financial detriment to users.Proof of Concept
Consider a scenario where a user triggers the
_claim
function, expecting to convert a locked token into ETH and then into lpETH. The function flow is as follows:address(this)
. However, due to a configuration error, the ETH is sent toaddress(0)
where_validateData()
will not revert.https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L439-L441
claimedAmount
based on its current ETH balance usingaddress(this).balance
.address(0)
, the contract's balance remains unchanged (typically 0 still), leading to an erroneousclaimedAmount
calculation—often resulting in a zero value.https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L257-L263
Recommended Mitigation Steps
Modify the _validateData function to ensure that all swap operations explicitly specify address(this) as the recipient. Implement checks to prevent address(0) from being used in critical transactions where asset receipt is expected.
https://code4rena.com/audits/2024-05-loopfi/submit
Alternatively, ensure that
boughtETHAmount
in_fillQuote()
isn't zero:https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L503
Assessed type
Invalid Validation