howlbot-integration[bot] commented 4 months ago

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L439-L441 https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L254

Vulnerability details

Impact

This incorrect validation can lead to the following issues:

If the _receiver address is neither the PrelaunchPoints contract nor the zero address, the function will revert, preventing legitimate users from claiming their lpETH tokens.
If the _receiver address is set to the zero address, the function will proceed, but any claimed lpETH tokens will be sent to the zero address, effectively burning them and making them unrecoverable.

Proof of Concept

The _validateData function is intended to validate the swap data received from the 0x API to ensure that the swap is executed as intended. However, the check:

 if (recipient != address(this) && recipient != address(0)) { revert WrongRecipient(recipient); }

This check assumes that the recipient address should be either the PrelaunchPoints contract itself (address(this)) or the zero address (address(0)). However, in the context of the _claim function, the _receiver parameter is used to specify the address that should receive the claimed lpETH tokens.

is not correctly validating the recipient address.

Tools Used

Manual review

Recommended Mitigation Steps

The validation check for the recipient address should be modified to align with the intended behavior of the _claim function.

Assessed type

Invalid Validation