State-Effects issue in the ILOPool.launch function leading to an reentrancy exit for shareholders who bough lp using a contract that listens to erc721 tx's. #646
Share holders buying shares with smart contracts, can call ILOPool.claimRefund() during the ILOPool.launch() function call, invoked by the sale admin.
Proof of Concept
The ILOPool.launch will mint in a loop erc721 tokens to every user who bought shares. Once the loop is concluded & only then, will a boolean state be set, declaring the sale to have been successful.
_launchSucceeded = true;
The issue here is basic State-Effect's. The boolean should have been changed to true at the start of the function call to prevent successful reentrancy to ILoPool.claimRefund().
Attack:
1) User makes a smart contract that implements the ERC721 fallback functions, which will invoke ILOPool.claimRefund() once triggered.
2) Buys shares.
3) Admin tries to launch pool, minting tokens to every shareholders, including the attacker.
4) Fallback is triggered allowing for reentrancy & exiting.
Tools Used
Manual analysis.
Recommended Mitigation Steps
State-Effects, Reentrancy guards, only allowing EOA's to become shareholders.(Optional)
Lines of code
https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOPool.sol#L315
Vulnerability details
Impact
Share holders buying shares with smart contracts, can call ILOPool.claimRefund() during the ILOPool.launch() function call, invoked by the sale admin.
Proof of Concept
The ILOPool.launch will mint in a loop erc721 tokens to every user who bought shares. Once the loop is concluded & only then, will a boolean state be set, declaring the sale to have been successful.
The issue here is basic State-Effect's. The boolean should have been changed to true at the start of the function call to prevent successful reentrancy to ILoPool.claimRefund().
Attack: 1) User makes a smart contract that implements the ERC721 fallback functions, which will invoke ILOPool.claimRefund() once triggered. 2) Buys shares. 3) Admin tries to launch pool, minting tokens to every shareholders, including the attacker. 4) Fallback is triggered allowing for reentrancy & exiting.
Tools Used
Manual analysis.
Recommended Mitigation Steps
State-Effects, Reentrancy guards, only allowing EOA's to become shareholders.(Optional)
Assessed type
Reentrancy