Closed howlbot-integration[bot] closed 3 months ago
By using Claimed event we track if user indeed withdraw and adjust points accordingly. In this case the contract does not need further modifications
The issue doesn’t elaborate on the impact on the protocol.
However, as stated by the sponsor, Claimed event is emitted to track the claimed amounts.
claimedAmount = address(this).balance;
.
.
emit Claimed(msg.sender, _token, claimedAmount);
claimedAmount is ETH balance, so there is no points gained for the attacker in this case.
koolexcrypto marked the issue as primary issue
koolexcrypto marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L448-L464
Vulnerability details
Impact
UniswapV3 decodes the parameters for each swap pool in a multi-pool
path
bytes array in the following order:tokenA,fee,tokenB
. Each token address is encoded by 20 bytes and fee by 3bytes. If there are remaining bytes in thepath
, they will be ignored. For example, if you providepath
liketokenA,fee,tokenB,tokenC
, thispath
will be treated astokenA,fee,tokenB
in UniswapV3'sSwapRouter
.In
PrelaunchPoints
, the_decodeUniswapV3Data
only parses the first and the last token from thepath
:and then these tokens will be checked in
_validateData
:The attacker can use a malicious path, for example,
USDC,fee,MyToken,WETH
. The decoded last token will beWETH
, thus the check in_validateData
will be passed. However, the UniswapV3 will decode this path asUSDC,fee,MyToken
and ignore theWETH
when executing the swap.The attacker can create a
USDC-MyToken
pool and swap all his locked USDC toMyToken
and then remove all liquidity of this pool. As a result, the attacker's USDC will not be converted to thelpETH
.Tools Used
Manual Review
Recommended Mitigation Steps
Consider using UniswapV3's Path library(https://github.com/Uniswap/v3-periphery/blob/main/contracts/libraries/Path.sol#L29-L54) to decode the last token:
Assessed type
en/de-code