User may claim more LpETH due to ETH being mistakenly sent to the contract

Question

User may claim more LpETH due to ETH being mistakenly sent to the contract

howlbot-integration opened this issue 2 years ago · 9 comments

howlbot-integration commented 2 years ago

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L392
https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L259-L263
https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L503-L504
https://github.com/code-423n4/2024-05-loop/blob/0dc8467ccff27230e7c0530b619524cc8401e22a/src/PrelaunchPoints.sol#L321-L324

Vulnerability details

Impact

If a user mistakenly sends ETH to the contract before convertAllETH has been called by the owner, every user could claim more lpETH than expected. If he mistakenly sends ETH to the contract after convertAllETH has been called by the owner, the first user to claim after him could get more lpETH.

Proof of Concept

The contract is able to receive ETH.

    /**
     * Enable receive ETH
     * @dev ETH sent to this contract directly will be locked forever.
     */
    receive() external payable {}

However, if a user mistakenly sends ETH to the contract, this would affect the claiming process.

Consider the following 2 cases:

If a user mistakenly sends ETH to the contract before convertAllETH has been called by the owner, every user could claim more lpETH than expected.

When convertAllETH is being called by the owner, all ETH in the contract will be converted to lpETH. When a user claims his locked ETH afterwards, the calculation claimedAmount = userStake.mulDiv(totalLpETH, totalSupply) will give him more lpETH than actual amount.

        uint256 totalBalance = address(this).balance;
        lpETH.deposit{value: totalBalance}(address(this));
        totalLpETH = lpETH.balanceOf(address(this));

If he mistakenly sends ETH to the contract after convertAllETH has been called by the owner, the first user to claim after him could get more lpETH.

When _claim is later being called, lpETH.deposit{value: claimedAmount}(_receiver) has been called to convert all ETH in the contract to lpETH. Thus the first user to claim afterwards could get more lpETH than actual amount.

            claimedAmount = address(this).balance;
            lpETH.deposit{value: claimedAmount}(_receiver);

Tools Used

Manual, VSCode

Recommended Mitigation Steps

Three steps:

Since totalSupply is used to record ETH balance, it is better to use totalSupply to convert to lpETH.
Use the boughtETHAmount obtained in _fillQuote to convert to ETH.
Add a retrieve function to retrieve address(this).balance-totalSupply before claiming and address(this).balance after claiming.

Assessed type

ETH-Transfer

Answer 1 · 2024-05-15T14:09:30.000Z

koolexcrypto marked the issue as duplicate of #18

Answer 2 · 2024-06-03T09:03:32.000Z

koolexcrypto changed the severity to 3 (High Risk)

Answer 3 · 2024-06-05T07:29:36.000Z

koolexcrypto changed the severity to 2 (Med Risk)

Answer 4 · 2024-06-05T09:31:13.000Z

koolexcrypto marked the issue as partial-50

Answer 5 · 2024-06-05T09:41:00.000Z

koolexcrypto changed the severity to 3 (High Risk)

Answer 6 · 2024-06-05T09:41:22.000Z

koolexcrypto marked the issue as duplicate of #33

Answer 7 · 2024-06-11T07:29:26.000Z

koolexcrypto marked the issue as not a duplicate

Answer 8 · 2024-06-11T07:29:41.000Z

koolexcrypto changed the severity to QA (Quality Assurance)

Answer 9 · 2024-06-11T07:29:45.000Z

koolexcrypto marked the issue as grade-c