after `_fillQuote` the contract transfer wrong `ETH` amount

Question

after `_fillQuote` the contract transfer wrong `ETH` amount

howlbot-integration opened this issue 2 years ago · 11 comments

howlbot-integration commented 2 years ago

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L262
https://github.com/code-423n4/2024-05-loop/blob/main/src/PrelaunchPoints.sol#L491-L505

Vulnerability details

Impact

The user could receive the forever locked ETH as part of claim ETH.

Proof of Concept

The PrelaunchPoints contract has receive() function and the comment on it says that:

@dev ETH sent to this contract directly will be locked forever.
However inside the claim() function the contract check that if the out token is not ETH then it will first convert it into ETH for this it will call _fillQuote():

function _fillQuote(IERC20 _sellToken, uint256 _amount, bytes calldata _swapCallData) internal {
        // Track our balance of the buyToken to determine how much we've bought.
      @>  uint256 boughtETHAmount = address(this).balance;

        require(_sellToken.approve(exchangeProxy, _amount));

        (bool success,) = payable(exchangeProxy).call{value: 0}(_swapCallData);
        if (!success) {
            revert SwapCallFailed();
        }

        // Use our current buyToken balance to determine how much we've bought.
     @>   boughtETHAmount = address(this).balance - boughtETHAmount;
        emit SwappedTokens(address(_sellToken), _amount, boughtETHAmount);
    }

Here the contract calls the exchangeProxy and convert token to ETH and subtract the received ETH from before ETH balance.
inside the _claim function :

  _fillQuote(IERC20(_token), userClaim, _data);

            // Convert swapped ETH to lpETH (1 to 1 conversion)
  @>          claimedAmount = address(this).balance; // @audit : it will give all the ETH of contract to receiver
  @>         lpETH.deposit{value: claimedAmount}(_receiver);

Here the contract transfer the complete ETH Balance to the _receiver.
The Issue here is that this function will also transfer the locked ETH to the receiver.

let assume that the contract have 1 ETH locked.

Alice have 1 stETH to claim.
Alice calls the claim function to claim her token.
The contract call the _fillQuote function to convert the assets.
The _fillQuote convert 1 stEth to ETH and receive 1 ETH after conversion. assume 1:1 ETH:stETH.
The claim function get the balance of contract which is 1 Locked ETH + 1 received ETH after conversion so the address(this).balance = 2 ETH.
The contract transfer 2 ETH to Alice.

Tools Used

Manual Review

Recommended Mitigation Steps

Extract the exact balance received after conversion and transfer it to receive . because the user is not allow to receive the Locked ETH in contract.
one solution cold be as follows:
return the boughtAmount from _fillQuote function and send it to the receiver.

diff --git a/src/PrelaunchPoints.sol b/src/PrelaunchPoints.sol
index aa6b9f4..a7fc49f 100644
--- a/src/PrelaunchPoints.sol
+++ b/src/PrelaunchPoints.sol
@@ -253,13 +253,12 @@ contract PrelaunchPoints {
             uint256 userClaim = userStake * _percentage / 100;
             _validateData(_token, userClaim, _exchange, _data);
             balances[msg.sender][_token] = userStake - userClaim;
             // At this point there should not be any ETH in the contract
             // Swap token to ETH
-            _fillQuote(IERC20(_token), userClaim, _data);
+          claimedAmount=  _fillQuote(IERC20(_token), userClaim, _data);
 
             // Convert swapped ETH to lpETH (1 to 1 conversion)
-            claimedAmount = address(this).balance;
             lpETH.deposit{value: claimedAmount}(_receiver);

@@ -488,7 +487,7 @@ contract PrelaunchPoints {
      * @param _swapCallData  The `data` field from the API response.
      */
 
-    function _fillQuote(IERC20 _sellToken, uint256 _amount, bytes calldata _swapCallData) internal {
+    function _fillQuote(IERC20 _sellToken, uint256 _amount, bytes calldata _swapCallData) internal returns(uint256 ){
         // Track our balance of the buyToken to determine how much we've bought.
         uint256 boughtETHAmount = address(this).balance;
 
@@ -501,6 +500,7 @@ contract PrelaunchPoints {
 
         // Use our current buyToken balance to determine how much we've bought.
         boughtETHAmount = address(this).balance - boughtETHAmount;
+        return boughtETHAmount;
         emit SwappedTokens(address(_sellToken), _amount, boughtETHAmount);
     }

Assessed type

ETH-Transfer

Answer 1 · 2024-05-15T13:33:32.000Z

koolexcrypto marked the issue as duplicate of #18

Answer 2 · 2024-05-15T13:33:37.000Z

koolexcrypto marked the issue as partial-75

Answer 3 · 2024-05-15T13:34:40.000Z

contract have 1 ETH locked

Didn't explain how the contract got 1 ETH locked, the contract shouldn't have any ETH locked unless someone sent to it directly.

Answer 4 · 2024-06-03T09:03:32.000Z

koolexcrypto changed the severity to 3 (High Risk)

Answer 5 · 2024-06-05T07:29:36.000Z

koolexcrypto changed the severity to 2 (Med Risk)

Answer 6 · 2024-06-05T07:41:26.000Z

koolexcrypto marked the issue as partial-50

Answer 7 · 2024-06-05T09:41:00.000Z

koolexcrypto changed the severity to 3 (High Risk)

Answer 8 · 2024-06-05T09:41:26.000Z

koolexcrypto marked the issue as duplicate of #33

Answer 9 · 2024-06-11T07:51:40.000Z

koolexcrypto marked the issue as not a duplicate

Answer 10 · 2024-06-11T07:51:44.000Z

koolexcrypto changed the severity to QA (Quality Assurance)

Answer 11 · 2024-06-11T07:52:01.000Z

koolexcrypto marked the issue as grade-c