Closed howlbot-integration[bot] closed 3 months ago
koolexcrypto marked the issue as primary issue
The emergency is clearly documented to be a 0x API failure and not an lpETH contract problem. lpETH will be just a wrapper where users can deposit/withdraw at any time, so users can still recover their ETH/WETH but with an extra step
koolexcrypto changed the severity to QA (Quality Assurance)
koolexcrypto marked the issue as grade-c
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L292
Vulnerability details
Impact
I am reporting this submission as
Medium
because I know that this issue is notHigh
but I am also pretty much confident that this is not evenLow
because it might affect the decision of the liquidity providers and negatively affect theETH
liquidity bootstrapping activity.In the contest's
Readme.md
, it is written asThere is an emergency mode that allows users to withdraw without any time restriction. If ETH was converted already users can call claim instead."
.Being an investor (ETH/WETH depositor/locker), this statement impresses me that in case of any unfortunate event like Hack/Attack, I will be able to recover my investment if emergency mode is applied by the protocol admin. Even if the conversion is done, I will be able to claim instead.
But the point here is that, investor will only be able to claim the
lpETH
. We should explicitly mention this in document that after conversion, even if emergency mode is activated, ETH/WETH depositors/lockers will only be able to claimlpETH
notETH/WETH
. Because if the protocol is attacked then definitelylpETH
will also crash and in such case claiminglpETH
will make no benefit to theETH/WETH
depositor/locker.Another point to note here is that LRT depositor/locker has an edge in this case because even after conversion and activation of emergency mode, they can withdraw their principally staked LRTs at any point in time until and unless those are not claimed. However, this is mentioned in the docs, that this behaviour is intended to prevent locking of LRTs in contract due to malfunction by 0x API. But if depositors know this fact then they might prefer to deposit LRT instead of ETH/WETH directly.
Source
Code
Actual Impact
Liquidity providers might get mislead by reading the docs and not understand the actual implication. If this happens, then in future it might affect the credibility of the protocol and might affect the market confidence of
lpETH
token.If understood correctly, then liquidity providers might prefer to deposit/lock LRTs instead of
ETH/WETH
directly because it can be perceived that depositing LRT is more secure thanETH/WETH
and this will in turn affect the Liquidity bootstrapping activity for which thisPrelaunch
program is all about.Proof of Concept
forge test --mt test_WY_EmergencyModeWithdrawBehaviour -vv
Add below test in
PrelaunchPoints.t.sol
Code
Tools Used
Manual review
Recommended Mitigation Steps
The treatment of withdrawal in case of emergency mode should be equitable with LRT/ETH/WETH lockers. It would be more fair, if we allow the
ETH/WETH
depositor/locker to withdraw the unclaimed amount of principally stakedETH/WETH
in case of emergency.Assessed type
Other