0xd4n1el
commented
4 months ago That is why we do not accept rebase tokens and only wrapped versions like weETH
Closed howlbot-integration[bot] closed 3 months ago
0xd4n1el
commented
4 months ago That is why we do not accept rebase tokens and only wrapped versions like weETH
c4-judge
commented
3 months ago koolexcrypto marked the issue as primary issue
koolexcrypto
commented
3 months ago I couldn't find a rebasing token among the one listed in README.
c4-judge
commented
3 months ago koolexcrypto changed the severity to QA (Quality Assurance)
c4-judge
commented
3 months ago koolexcrypto marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L244
Vulnerability details
Impact
Some amounts of LRT tokens might be locked forever in Loop protocol. Moreover, early users will claim their full amount at the expense of late users. At minimum, the last user might incur some losses when trying to claim as they can not claim the 100% of their amount
Proof of Concept
Some LRTs tokens are rebase, their balance can change during the lock time. The mechanism behind rebase tokens is altering the token supply proportionally across all existing holders' balances.
When the token's price deviates from its target, a rebase event is triggered, where in the protocol adjusts the token supply by either increasing or decreasing the number of tokens each user holds. this adjustment aims to push the token's price toward its intended target, stabilizing its value over time.
The issue could happen when some of LRTs tokens are used in the protocol to be locked, 120 days of locking time is a long time, and it is possible for a rebase token X amount to be changed. Therefore, the balance of the contract might change.
This would lead to a simple conclusion: big deposits of X rebase token can decrease or increase with the time while they are being locked, thus incase the amount of X increased, the user will lose the increasing value, since the claim rely on balances[msg.sender][_token]. These surplus amounts can not be recovered by the protocol as well because recoverERC20 method exclude any LRT token.
Please also note that if the balance in the contract decreased instead, the last user to claim will incur the loss, unlike early users who can claim their full amount
Tools Used
Manual Review
Recommended Mitigation Steps
Create and use a wrapper for the rebase token or track the totalSupply of the token and distribute it proportionally to the user on claim
Assessed type
Other