by passing _percentage which exceeds 100, the calculated userClaim exceed the userStake. This would not only allow a users to claim more than their stake but also affect the contract's balance integrity and other users.
Proof of Concept
In the _claim function of the PrelaunchPoints.sol contract, there is a critical vulnerability due to the lack of validation on the _percentage parameter and no check on userClaim<=userStake.
The _percentage parameter represents the percentage of the user's stake that they wish to claim. However, the function does not enforce any constraints to ensure that _percentage does not exceed 100.
This oversight allows a user to potentially claim more than their total staked amount, leading to significant discrepancies and potential exploitation.
if _percentage parameter set to a value greater than 100, such as 200. This results in userClaim being calculated as double the user's actual stake.
Exploitation Scenario:
Initial Setup: A user locks a certain amount of tokens using lock() function.
Malicious Claim: The user calls the claim() function with _percentage set to 200.
uint256 userClaim = userStake * _percentage / 100;//here for userClaim will be twice the userStake for 200 _percentage
and balances[msg.sender][_token] = userStake - userClaim; will be always positive
3.now The user receives an amount of tokens or benefits that exceeds their original lockAmount.
note:if needed the _data bytes passed to the function can also be manipulated
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L253-L253 https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L211 https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L226
Vulnerability details
Impact
by passing
_percentage
which exceeds 100, the calculateduserClaim
exceed theuserStake
. This would not only allow a users toclaim
more than their stake but also affect the contract's balance integrity and other users.Proof of Concept
In the
_claim
function of thePrelaunchPoints.sol
contract, there is a critical vulnerability due to the lack of validation on the_percentage
parameter and no check onuserClaim<=userStake
.The
_percentage
parameter represents the percentage of the user's stake that they wish to claim. However, the function does not enforce any constraints to ensure that_percentage
does not exceed 100.This oversight allows a user to potentially claim more than their total staked amount, leading to significant discrepancies and potential exploitation.
if
_percentage
parameter set to a value greater than 100, such as 200. This results in userClaim being calculated as double the user's actual stake.Exploitation Scenario:
lock()
function.claim()
function with _percentage set to 200.uint256 userClaim = userStake * _percentage / 100;//here for userClaim will be twice the userStake for 200 _percentage
andbalances[msg.sender][_token] = userStake - userClaim;
will be always positive 3.now The user receives an amount of tokens or benefits that exceeds their original lockAmount.note:if needed the _data bytes passed to the function can also be manipulated
Tools Used
Vscode
Recommended Mitigation Steps
consider adding below checks
and
Assessed type
Other