Closed howlbot-integration[bot] closed 3 months ago
Yes but this is extremely unlikely since we assume the data sent is correct
koolexcrypto marked the issue as primary issue
koolexcrypto changed the severity to QA (Quality Assurance)
koolexcrypto marked the issue as grade-c
This previously downgraded issue has been upgraded by koolexcrypto
koolexcrypto changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L439-L441 https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L254
Vulnerability details
Impact
This incorrect validation can lead to the following issues:
If the _receiver address is neither the PrelaunchPoints contract nor the zero address, the function will revert, preventing legitimate users from claiming their lpETH tokens.
If the _receiver address is set to the zero address, the function will proceed, but any claimed lpETH tokens will be sent to the zero address, effectively burning them and making them unrecoverable.
Proof of Concept
The _validateData function is intended to validate the swap data received from the 0x API to ensure that the swap is executed as intended. However, the check:
This check assumes that the recipient address should be either the PrelaunchPoints contract itself (address(this)) or the zero address (address(0)). However, in the context of the _claim function, the _receiver parameter is used to specify the address that should receive the claimed lpETH tokens.
is not correctly validating the recipient address.
Tools Used
Manual review
Recommended Mitigation Steps
The validation check for the recipient address should be modified to align with the intended behavior of the _claim function.
Assessed type
Invalid Validation