Lack of validate `minBuyAmount` in `calldata` can cause lost protocol funds

[c4-bot-3]

Lines of code

https://github.com/LoopFi/loop-prelaunch-contracts/blob/c8b13474aa4f319eec368fc4827bf51eddad080f/src/PrelaunchPoints.sol#L263 https://github.com/LoopFi/loop-prelaunch-contracts/blob/c8b13474aa4f319eec368fc4827bf51eddad080f/src/PrelaunchPoints.sol#L424 https://github.com/LoopFi/loop-prelaunch-contracts/blob/c8b13474aa4f319eec368fc4827bf51eddad080f/src/PrelaunchPoints.sol#L461

Vulnerability details

The returned values ​​from decoding call data should always be checked, one of important which is minBuyAmount, which is used for slippage, and this should be checked the the task of validate the returned data. _validateData function does not validate the value of minBuyAmount:

• Vulnerable function is _validateData(): https://github.com/LoopFi/loop-prelaunch-contracts/blob/c8b13474aa4f319eec368fc4827bf51eddad080f/src/PrelaunchPoints.sol#L417C1-L455C6

  
  function _validateData(address _token, uint256 _amount, Exchange _exchange, bytes calldata _data) internal view {
      address inputToken;
      address outputToken;
      uint256 inputTokenAmount;
      address recipient;
      bytes4 selector;
  
      if (_exchange == Exchange.UniswapV3) {
          (inputToken, outputToken, inputTokenAmount, recipient, selector) = _decodeUniswapV3Data(_data);
          if (selector != UNI_SELECTOR) {
              revert WrongSelector(selector);
          }
          // UniswapV3Feature.sellTokenForEthToUniswapV3(encodedPath, sellAmount, minBuyAmount, recipient) requires `encodedPath` to be a Uniswap-encoded path, where the last token is WETH
          if (outputToken != address(WETH)) {
              revert WrongDataTokens(inputToken, outputToken);
          }
          if (recipient != address(this)) {
          revert WrongRecipient(recipient);
      }
     // .. SNIP ...
  
  }

[c4-bot-10]

Discord id(s) for hunter(s): [object Object]

[bytes032]

Invalid + Lacks POC