Back to DMoore's contests

LoopFi - DMoore's results

A dedicated lending market for Ethereum carry trades. Users can supply a long tail of Liquid Restaking Tokens (LRT) and their derivatives as collateral to borrow ETH for increased yield exposure.

General Information

Platform: Code4rena

Start Date: 01/05/2024

Pot Size: $12,100 USDC

Total HM: 1

Participants: 47

Period: 7 days

Judge: Koolex

Id: 371

League: ETH

LoopFi

Findings Distribution

Researcher Performance

Rank: 9/47

Findings: 1

Award: $386.08

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryLoopFi

Findings Information

🌟 Selected for report: 0xnev

Also found by: 0x04bytes, 0xBugSlayer, 0xJoyBoy03, 0xSecuri, 0xrex, Bigsam, DMoore, Evo, Greed, Kirkeelee, Krace, Pechenite, Rhaydden, SBSecurity, Sajjad, TheFabled, Topmark, XDZIBECX, ZanyBonzy, _karanel, bbl4de, btk, d3e4, gumgumzum, nfmelendez, novamanbg, petarP1998, samuraii77, sandy, shaflow2, sldtyenj12, web3er, y4y, yovchev_yoan

Awards

284.4444 USDC - $284.44

Labels

bug
3 (High Risk)
satisfactory
sufficient quality report
upgraded by judge
:robot:_42_group
duplicate-33

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L253-L263 https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L491-L505

Vulnerability details

Impact

During claim process, _claim is called to claim lpETH token to user, whose amount claimedAmount is calculated based on user staked amount during lock period. However, for the scenario that user stake allowed token to claim lpETH, claimedAmount is calculated using PrelaunchPoints's balance. So malicious users could send any amount of ETH to PrelaunchPoints and call claim in a single transaction to claim any amount of lpETH they wants, which will make the whole lock process useless.

Proof of Concept

  1. Alice lock x_amount allowed Token to PrelaunchPoints by calling lock
  2. After convertAllETH and time passed startClaimDate, Alice can claim lpETH, whose amount should equals to the amount of ETH swapped by x_amount staked token. Let's define the correct amount of lpETH Alice should get is x_amt_ETH. https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L502-L504
        // Use our current buyToken balance to determine how much we've bought.
        boughtETHAmount = address(this).balance - boughtETHAmount;
        emit SwappedTokens(address(_sellToken), _amount, boughtETHAmount);
  1. However, Alice send y_amount ETHs to PrelaunchPoints and call claim in a single transaction, so the actual amount lpETH she can get is y_amount + x_amt_ETH. Since this y_amount can be any number, which means that Alice could claim arbitrary amount of lpETH she wants and thusly make lock process useless. https://github.com/code-423n4/2024-05-loop/blob/40167e469edde09969643b6808c57e25d1b9c203/src/PrelaunchPoints.sol#L261-L263
            // Convert swapped ETH to lpETH (1 to 1 conversion)
            claimedAmount = address(this).balance;
            lpETH.deposit{value: claimedAmount}(_receiver);

Tools Used

Manual Review

use the swapped amount of ETH in _fillQuote as claimedAmount rather than address(this).balance

Assessed type

Context

#0 - c4-judge

2024-05-15T14:18:02Z

koolexcrypto marked the issue as duplicate of #6

#1 - c4-judge

2024-05-31T09:58:29Z

koolexcrypto marked the issue as duplicate of #33

#2 - c4-judge

2024-06-05T09:55:53Z

koolexcrypto changed the severity to 3 (High Risk)

#3 - c4-judge

2024-06-05T09:56:07Z

koolexcrypto marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter