search

code-423n4 / 2024-05-loop-validation

0 stars 0 forks source link

Users Cant Partially Withdraw their Eth Fund #20

Closed c4-bot-3 closed 6 months ago

c4-bot-3 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L207 https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L250

Vulnerability details

Impact

Denial of Service when users don't intend to Withdraw or Claim all their Eth at once in the PrelaunchPoints.sol contract due to stiff implementation in the claim function

Proof of Concept

  /**
     * @dev Called by a user to get their vested lpETH
     * @param _token      Address of the token to convert to lpETH
>>>     * @param _percentage Proportion in % of tokens to withdraw. NOT useful for ETH
     * @param _exchange   Exchange identifier where the swap takes place
     * @param _data       Swap data obtained from 0x API
     */
    function claim(address _token, uint8 _percentage, Exchange _exchange, bytes calldata _data)
        external
        onlyAfterDate(startClaimDate)
    {
        _claim(_token, msg.sender, _percentage, _exchange, _data);
    }

As noted in the pointer in the comment description of the claim(...) function above Protocol didnt allow withdrawal of Eth in percentage which is evident in its further implementation in the _claim(...) internal function provided below. The pointers show that for Eth the complete balance is emptied to zero while for other tokens it is not, this will affect users who actually intend to only withdraw or claim only part of their Eth and not all

    function _claim(address _token, address _receiver, uint8 _percentage, Exchange _exchange, bytes calldata _data)
        internal
        returns (uint256 claimedAmount)
    {
        uint256 userStake = balances[msg.sender][_token];
        if (userStake == 0) {
            revert NothingToClaim();
        }
        if (_token == ETH) {
            claimedAmount = userStake.mulDiv(totalLpETH, totalSupply);
>>>            balances[msg.sender][_token] = 0;
            lpETH.safeTransfer(_receiver, claimedAmount);
        } else {
 >>>           uint256 userClaim = userStake * _percentage / 100;
            _validateData(_token, userClaim, _exchange, _data);
            balances[msg.sender][_token] = userStake - userClaim;

            ...
        }
        emit Claimed(msg.sender, _token, claimedAmount);
    }

Tools Used

Manual Review

Recommended Mitigation Steps

Protocol should add similar implementation like how other tokens are handled in percentage to ensure Eth can also be withdraw or claimed in fragments by the Users

Assessed type

DoS

0xSorryNotSorry commented 6 months ago

feature request.

Inflated

0xSorryNotSorry commented 6 months ago

@howlbot reject