Users can claim the eth accidently sent to PrelaunchPoints using the claim function
howlbot-integration opened this issue · 7 comments
Lines of code
https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L262
Vulnerability details
Impact
Any user can claim the eth accidently sent to the PrelaunchPoints contract.
Proof of Concept
The protocol operates under the assumption that ETH sent to the contract is permanently locked:
/**
* Enable receive ETH
* @dev ETH sent to this contract directly will be locked forever.
*/
receive() external payable {}The problem arises in the _claim function, which uses address(this).balance instead of the user's balance when depositing in lpETH, resulting in a first-come, first-served scenario:
claimedAmount = address(this).balance;
lpETH.deposit{value: claimedAmount}(_receiver);Consequently, after all ETH has been converted, any remaining or subsequently sent ETH to the contract will be claimed by the first user.
Tools Used
Manual review
Recommended Mitigation Steps
Consider updating the _claim function as follows:
claimedAmount = userClaim > address(this).balance ? address(this).balance : userClaim;
lpETH.deposit{value: claimedAmount}(_receiver);dditionally, implement a similar function to recoverERC20 to withdraw ETH, accessible only after convertAllETH has been called.
Assessed type
Other
koolexcrypto changed the severity to 3 (High Risk)
koolexcrypto changed the severity to 2 (Med Risk)
koolexcrypto marked the issue as partial-50
koolexcrypto changed the severity to 3 (High Risk)
koolexcrypto marked the issue as partial-25