Users get more lpETH than the amount of ETH they have locked
Proof of Concept
The LoopFi protocol has an emergency mode feature which allows users to withdraw their assets even though the loopActivation and startClaimDate periods have passed. However, in emergency mode, users can still claim lpETH by exchanging the ETH they have with the claim() function. This can be a problem because the total supply of ETH changes and affects the exchange rate of lpETH and ETH.
Exploit Scenario
Normally, the user initially locks his ETH with the lockETH() or lockETHfor() function until a certain time limit.
Then after a certain time, owner calls the setLoopAddresses() function and starts the first epoch. And after 7 days the owner calls the convertAllETH() function to start the claim period for users to be able to claim lpETH.
For example, it is assumed that the data obtained:
totalLpETH : 1000
totalSupply : 1000
Because there was a problem, the owner activated the emergencyMode feature by calling the setEmergencyMode() function
We assume that some users withdraw their ETH and the data obtained becomes:
totalLpETH : 1000
totalSupply : 500
Bob knows this condition and has a locked ETH balance (i.e. 100 ETH) calls the claim() function to exchange it for lpETH.
With the formula above, Bob should have gotten 100 lpETH tokens but now he gets 200 lpETH tokens because the exchange rate has changed due to the change in the total supply of ETH.
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L240-L266
Vulnerability details
Impact
Users get more
lpETH
than the amount ofETH
they have lockedProof of Concept
The LoopFi protocol has an emergency mode feature which allows users to withdraw their assets even though the
loopActivation
andstartClaimDate
periods have passed. However, in emergency mode, users can still claimlpETH
by exchanging theETH
they have with theclaim()
function. This can be a problem because the total supply ofETH
changes and affects the exchange rate oflpETH
andETH
.Exploit Scenario
ETH
with thelockETH()
orlockETHfor()
function until a certain time limit.setLoopAddresses()
function and starts the first epoch. And after 7 days the owner calls theconvertAllETH()
function to start the claim period for users to be able to claimlpETH
.emergencyMode
feature by calling thesetEmergencyMode()
functionETH
and the data obtained becomes:ETH
) calls theclaim()
function to exchange it forlpETH
.lpETH
tokens but now he gets 200lpETH
tokens because the exchange rate has changed due to the change in the total supply ofETH
.NOTE :
This also affects the claimAndStake() function
If this condition occurs, the main variant will be broken
lpETH
than they shouldTools Used
Manual review
Recommended Mitigation Steps
Consider pause
claim()
function if protocol onemergencyMode
stateAssessed type
Other