Unchecked External Calls (Potential Critical)

[c4-bot-4]

Lines of code

https://github.com/LoopFi/loop-prelaunch-contracts/blob/c8b13474aa4f319eec368fc4827bf51eddad080f/src/PrelaunchPoints.sol#L504

Vulnerability details

Risk: If the contract relies heavily on external calls (e.g., exchangeProxy in the _fillQuote function) without proper validation or handling, this could open the contract to severe vulnerabilities like reentrancy attacks or denial of service (DoS) from malicious contracts.

Critical Impact: If an external contract is compromised, the attacker could execute arbitrary code, manipulate the contract’s state, or cause the contract to misbehave, potentially leading to a complete loss of funds.

Mitigation: Besides implementing reentrancy guards, it’s crucial to ensure that the external contracts are thoroughly vetted, and fallback mechanisms are in place if an external call fails or behaves unexpectedly. Consider using try/catch blocks for external calls and ensuring there is no trust assumption about the external contract's behavior.

[c4-bot-8]

Discord id(s) for hunter(s): [object Object]

[0xd4n1el]

There is some basic validation on our side, and most validation happens on the 0x protocol. Unless there is a PoC showing how to extract user funds, this should be dismissed.