c4-bot-1 commented 3 months ago

Lines of code

https://github.com/LoopFi/loop-prelaunch-contracts/blob/main/src/PrelaunchPoints.sol#L284-L306

Vulnerability details

Impact

When the owner start an emergency withdraw, LRT's stakers will unfairly lose all their points.

Proof of Concept

The Loop protocol's kickstart requires liquidity (i.e., ETH) which will be sourced from the Loop Points Program. The Points Program incentivizes users to lock ETH or Liquid Restaking Tokens (LRT) into the protocol.
In exchange, users earn points. These points are distributed hourly across all depositors to incentivize early locking. On withdrawal, users loose all their points.
This points system is tracked offchain based on Locked and Withdraw events.
The issue is that there is an emergency mode that allows users to withdraw without any time restriction in case the 0x integration fails.
Consequently, when LRT's stakers forcefully withdraw on such event, they will lose all their earned points, contrary to the ETH/WETH stakers which they can withdraw using the claim function becuase no Withdraw events will be trigerred:

    function _claim(address _token, address _receiver, uint8 _percentage, Exchange _exchange, bytes calldata _data)
        internal
        returns (uint256 claimedAmount)
    {
        if (_percentage == 0) {
            revert CannotClaimZero();
        }
        uint256 userStake = balances[msg.sender][_token];
        if (userStake == 0) {
            revert NothingToClaim();
        }
        if (_token == address(WETH)) {
            claimedAmount = userStake.mulDiv(totalLpETH, totalSupply);
            balances[msg.sender][_token] = 0;
            if (_receiver != address(this)){
                lpETH.safeTransfer(_receiver, claimedAmount);
            }  
        } else {
            uint256 userClaim = userStake * _percentage / 100;
            _validateData(_token, userClaim, _exchange, _data);
            balances[msg.sender][_token] = userStake - userClaim;
            uint256 balanceWethBefore = WETH.balanceOf(address(this));

            // Swap token to ETH
            _fillQuote(IERC20(_token), userClaim, _data);

            // Convert swapped ETH to lpETH (1 to 1 conversion)
            claimedAmount = WETH.balanceOf(address(this)) - balanceWethBefore;
            WETH.approve(address(lpETH), claimedAmount);
            lpETH.deposit(claimedAmount, _receiver);
        }
        emit Claimed(msg.sender, _token, claimedAmount);
    }

Thus, when an emergency occur after all eth was converted, ETH/WETH stakers can withdraw their funds without losing any points, while LRTs stakers will lose all their points upon withdrawals.

Tools Used

Manual review

Recommended Mitigation Steps

Consider introducing a new emergency withdraw function for LRT stakers that dosen't trigger any Withdrawn event.

c4-bot-9 commented 3 months ago

Discord id(s) for hunter(s): [object Object]

bytes032 commented 2 months ago

Expected behavior in emergency situations.

code-423n4 / loopfi-bug-bounty