The ILOPool contract's claimRefund function is prone to inaccuracies caused by external changes in token balances, such as those resulting from airdrops. These inaccuracies can lead to situations where funds are left stuck in the contract, as the calculated refund amounts may not properly account for the actual token balances.
Impact
Users may not be able to retrieve the full amount of their raised tokens due to discrepancies in the balance calculation, leaving funds stuck in the contract.
This function determines the refund amount based on _positions[tokenId].raiseAmount. If the external token balance increases (e.g., due to an airdrop), the contract's accounting does not reflect this change, and users cannot claim these additional funds. Conversely, if the balance decreases (e.g., due to rebasing), users may not receive the correct amount they are entitled to, leaving excess funds in the contract.
Steps to Reproduce
Deploy the ILOPool contract and initialize it with appropriate parameters.
Conduct a sale, allowing users to buy positions and raise tokens.
Trigger an external change in the token balance (e.g., an airdrop affecting the RAISE_TOKEN).
Attempt to claim a refund using the claimRefund function.
Observe that the refund amount is incorrect and some funds remain in the contract.
The refund amounts do not account for external changes in token balances, leading to discrepancies and potentially leaving funds stuck in the contract.
Suggested Mitigation
Periodically sync the contract's internal accounting with the actual token balances to account for any external changes.
Lines of code
https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOPool.sol#L350
Vulnerability details
Summary
The ILOPool contract's claimRefund function is prone to inaccuracies caused by external changes in token balances, such as those resulting from airdrops. These inaccuracies can lead to situations where funds are left stuck in the contract, as the calculated refund amounts may not properly account for the actual token balances.
Impact
Users may not be able to retrieve the full amount of their raised tokens due to discrepancies in the balance calculation, leaving funds stuck in the contract.
Affected Function
https://github.com/code-423n4/2024-06-vultisig/blob/cb72b1e9053c02a58d874ff376359a83dc3f0742/src/ILOPool.sol#L350
This function determines the refund amount based on _positions[tokenId].raiseAmount. If the external token balance increases (e.g., due to an airdrop), the contract's accounting does not reflect this change, and users cannot claim these additional funds. Conversely, if the balance decreases (e.g., due to rebasing), users may not receive the correct amount they are entitled to, leaving excess funds in the contract.
Steps to Reproduce
The refund amounts do not account for external changes in token balances, leading to discrepancies and potentially leaving funds stuck in the contract.
Suggested Mitigation
Periodically sync the contract's internal accounting with the actual token balances to account for any external changes.
Assessed type
Token-Transfer