Users will unfairly lose all their points during an emergency withdraw

[c4-bot-4]

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L274-L306

Vulnerability details

Impact

When the owner start an emergency withdraw, LRT's stakers will unfairly lose all their points.

Proof of Concept

• The Loop protocol's kickstart requires liquidity (i.e., ETH) which will be sourced from the Loop Points Program. The Points Program incentivizes users to lock ETH or Liquid Restaking Tokens (LRT) into the protocol.

• In exchange, users earn points. These points are distributed hourly across all depositors to incentivize early locking. On withdrawal, users loose all their points.

• This points system is tracked offchain based on Locked and Withdraw events.

• The issue is that there is an emergency mode that allows users to withdraw without any time restriction in case the 0x integration fails.

• Consequently, when LRT's stakers forcefully withdraw on such event, they will lose all their earned points, contrary to the ETH/WETH stakers which they can withdraw using the claim function becuase no Withdraw events will be trigerred:

    function _claim(address _token, address _receiver, uint8 _percentage, Exchange _exchange, bytes calldata _data)
        internal
        returns (uint256 claimedAmount)
    {
        uint256 userStake = balances[msg.sender][_token];
        if (userStake == 0) {
            revert NothingToClaim();
        }
        if (_token == ETH) {
            claimedAmount = userStake.mulDiv(totalLpETH, totalSupply);
            balances[msg.sender][_token] = 0;
            lpETH.safeTransfer(_receiver, claimedAmount);
        } else {
            // code
        }
        emit Claimed(msg.sender, _token, claimedAmount);
    }

• Thus, when an emergency occur after all eth was converted, ETH/WETH stakers can withdraw their funds without losing any points, while LRTs stakers will lose all their points upon withdrawals.

Tools Used

Manual review

Recommended Mitigation Steps

Consider introducing a new emergency withdraw function for LRT stakers that dosen't trigger any Withdrawn event.

Assessed type

Other

[141345]

invalid

LRT and ETH events are the same

[141345]

@howlbot reject

[0xbtk]

Hi @0xbtk

I agree there is an oversight from the validator. The events are the same, but they are triggered differently for ETH on emergency withdrawal. However, It doesn't fall under

"or leak value with a hypothetical attack path with stated assumptions, but external requirements."

Because the points are calculated off-chain. So, it is under the control of the protocol team.

@koolexcrypto While it's true that points are calculated off-chain, the underlying issue originates on-chain. The points are derived from these on-chain events, leading to a direct loss for LRT stakers. Doesn't this warrant a medium?

[koolexcrypto]

Hi @0xbtk I agree there is an oversight from the validator. The events are the same, but they are triggered differently for ETH on emergency withdrawal. However, It doesn't fall under

"or leak value with a hypothetical attack path with stated assumptions, but external requirements."

Because the points are calculated off-chain. So, it is under the control of the protocol team.

@koolexcrypto While it's true that points are calculated off-chain, the underlying issue originates on-chain. The points are derived from these on-chain events, leading to a direct loss for LRT stakers. Doesn't this warrant a medium?

When there is emergency, I don't believe that points are considered anyway. Also, there is no attack happening here.