search

code-423n4 / 2024-05-loop-validation

0 stars 0 forks source link

Users can Claim more than they stake/lock Due to Unchecked `_Percentage` Value and `userClaim<=userStake` #285

Closed c4-bot-7 closed 5 months ago

c4-bot-7 commented 5 months ago

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L253-L253 https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L211 https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L226

Vulnerability details

Impact

by passing _percentage which exceeds 100, the calculated userClaim exceed the userStake. This would not only allow a users to claim more than their stake but also affect the contract's balance integrity and other users.

Proof of Concept

In the _claim function of the PrelaunchPoints.sol contract, there is a critical vulnerability due to the lack of validation on the _percentage parameter and no check on userClaim<=userStake.

The _percentage parameter represents the percentage of the user's stake that they wish to claim. However, the function does not enforce any constraints to ensure that _percentage does not exceed 100. 

uint256 userClaim = userStake * _percentage / 100;
            _validateData(_token, userClaim, _exchange, _data);//
            balances[msg.sender][_token] = userStake - userClaim;

This oversight allows a user to potentially claim more than their total staked amount, leading to significant discrepancies and potential exploitation.

if _percentage parameter set to a value greater than 100, such as 200. This results in userClaim being calculated as double the user's actual stake.

Exploitation Scenario:

  1. Initial Setup: A user locks a certain amount of tokens using lock() function.
  2. Malicious Claim: The user calls the claim() function with _percentage set to 200. uint256 userClaim = userStake * _percentage / 100;//here for userClaim will be twice the userStake for 200 _percentage and balances[msg.sender][_token] = userStake - userClaim; will be always positive 3.now The user receives an amount of tokens or benefits that exceeds their original lockAmount.

note:if needed the _data bytes passed to the function can also be manipulated

Tools Used

Vscode

Recommended Mitigation Steps

consider adding below checks

   require(_percentage <= 100, "Percentage cannot exceed 100");

and 

`require(userClaim<=userStake)`

Assessed type

Other

0xSorryNotSorry commented 5 months ago

and balances[msg.sender][_token] = userStake - userClaim; will be always positive

Insufficient proof

0xSorryNotSorry commented 5 months ago

@howlbot reject