Platform: Code4rena
Start Date: 01/05/2024
Pot Size: $12,100 USDC
Total HM: 1
Participants: 47
Period: 7 days
Judge: Koolex
Id: 371
League: ETH
Rank: 22/47
Findings: 1
Award: $213.33
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xnev
Also found by: 0x04bytes, 0xBugSlayer, 0xJoyBoy03, 0xSecuri, 0xrex, Bigsam, DMoore, Evo, Greed, Kirkeelee, Krace, Pechenite, Rhaydden, SBSecurity, Sajjad, TheFabled, Topmark, XDZIBECX, ZanyBonzy, _karanel, bbl4de, btk, d3e4, gumgumzum, nfmelendez, novamanbg, petarP1998, samuraii77, sandy, shaflow2, sldtyenj12, web3er, y4y, yovchev_yoan
213.3333 USDC - $213.33
User can claim and stake more tokens via claimAndStake() than he had initially locked.
Based on "Users who provide liquidity for lpETH and lock the respective LP tokens with Loop, earn a points multiplier compared to just depositing ETH/LRTs and holding lpETH." it seems staking lpETH via claimAndStake() confers an advantage over staking directly oneself (perhaps based on the emitted claimedAmount).
By transferring ETH directly to the PrelaunchPoints contract before calling claimAndStake() on non-ETH tokens this ETH will be added to the claimedAmount = address(this).balance; and then deposited in lpETH and staked. The user is thus able to stake via claimAndStake() (or the amount claimed via claim()) for funds he had not locked.
Count the difference before and after _fillQuote().
Context
#0 - c4-judge
2024-05-15T13:55:27Z
koolexcrypto marked the issue as duplicate of #6
#1 - c4-judge
2024-05-31T09:58:35Z
koolexcrypto marked the issue as duplicate of #33
#2 - c4-judge
2024-06-05T08:08:59Z
koolexcrypto marked the issue as not a duplicate
#3 - c4-judge
2024-06-05T08:11:12Z
koolexcrypto marked the issue as duplicate of #33
#4 - c4-judge
2024-06-05T08:51:30Z
koolexcrypto marked the issue as partial-50
#5 - d3e4
2024-06-06T09:22:57Z
@koolexcrypto Why did this get partial-50? What is described here is exactly scenario 1 in #33. Other issues which also only describe the donation issue in claimAndStake() have received full duplicates, e.g. #58, #56, #55, #53.
Also, scenario 2 in #33 seems at best QA. The user is donating funds to all holders equally, so there is no incentive to do this for an attacker. And if it is possible to contribute to the total stake, without any unfair advantage, is this really an issue?
#6 - rexjoseph
2024-06-06T10:26:04Z
@d3e4 I think my issue #56 being a full duplicate is correct because I also specify how the donation is then exploited. I did talk about the claimAndStake() one too in another one of my reports at #48 which is somehow getting a partial-75 even though it clears all of the impact and builds on the deposit time invariant being broken and going further into the staking rewards part.
I do agree with your take. My second issue #48 is the same as yours and only them goes further towards the rewards part for staking which I believe both should be full duplicates.
#7 - Rhaydden
2024-06-06T20:49:57Z
Hi @d3e4,
I believe marking #55 as a full duplicate is appropriate because it not only addresses the donation issue in claimAndStake, but also thoroughly describes the full impact and details of how the issue could be orchestrated.
Regarding my other issue, #70, which received a partial-50 duplicate status, I agree with the judge's decision. I didn't fully explain the root cause of the issue in that report, although the impacts were explained.
Therefore, I support the judge's decision that #55 deserves the full duplicate status, contrary to your challenge.
#8 - d3e4
2024-06-06T21:55:04Z
@rexjoseph, @Rhaydden, I also think that all those reports (including mine) should be full duplicates.
#9 - koolexcrypto
2024-06-10T20:36:24Z
@koolexcrypto Why did this get
partial-50? What is described here is exactly scenario 1 in #33. Other issues which also only describe the donation issue inclaimAndStake()have received full duplicates, e.g. #58, #56, #55, #53.Also, scenario 2 in #33 seems at best QA. The user is donating funds to all holders equally, so there is no incentive to do this for an attacker. And if it is possible to contribute to the total stake, without any unfair advantage, is this really an issue?
The quality doesn't qualify for a full credit especially the PoC. However, all dups that don't mention lock duration bypassing will get less partial credit. still re-evaluating this.
#10 - d3e4
2024-06-10T21:18:01Z
The quality doesn't qualify for a full credit especially the PoC. However, all dups that don't mention lock duration bypassing will get less partial credit. still re-evaluating this.
The issue is very simple, hence a simple and succinct PoC. There is no information missing here that is present in Scenario 1 of #33 (note). I mentioned here both the direct transfer of funds and the lock bypassing, which fully constitutes Scenario 1. (I apologise if I misconstrued your comment.)
#11 - nevillehuang
2024-06-10T23:11:41Z
@koolexcrypto @d3e4 imho, most issues are missing the fact that you need to bundle a transaction to avoid risking other users claiming your donated ETH. Hence, I believe partial credits is appropriate, if not, I can respect full credit as well in the discretion of the judge.
#12 - c4-judge
2024-06-11T07:41:57Z
koolexcrypto marked the issue as partial-75
#13 - koolexcrypto
2024-06-11T07:43:27Z
The quality doesn't qualify for a full credit especially the PoC. However, all dups that don't mention lock duration bypassing will get less partial credit. still re-evaluating this.
The issue is very simple, hence a simple and succinct PoC. There is no information missing here that is present in Scenario 1 of #33 (note). I mentioned here both the direct transfer of funds and the lock bypassing, which fully constitutes Scenario 1. (I apologise if I misconstrued your comment.)
75% Partial credit for the fact that you mentioned both. The report is not elaborative enough.
#14 - d3e4
2024-06-11T12:51:50Z
@koolexcrypto @d3e4 imho, most issues are missing the fact that you need to bundle a transaction to avoid risking other users claiming your donated ETH. Hence, I believe partial credits is appropriate, if not, I can respect full credit as well in the discretion of the judge.
That would be an exploit of the exploit. It is not necessary for the #33 exploit to work, and an attacker must always consider potential counter-exploits or the effects of random user interactions etc. Also, it's fairly obvious, and very common, that exploits of this kind should be performed in a bundle. Since this is a technical detail of interest only to the attacker it should have no impact on the severity of this issue for the protocol.
#15 - d3e4
2024-06-11T12:52:09Z
The quality doesn't qualify for a full credit especially the PoC. However, all dups that don't mention lock duration bypassing will get less partial credit. still re-evaluating this.
The issue is very simple, hence a simple and succinct PoC. There is no information missing here that is present in Scenario 1 of #33 (note). I mentioned here both the direct transfer of funds and the lock bypassing, which fully constitutes Scenario 1. (I apologise if I misconstrued your comment.)
75% Partial credit for the fact that you mentioned both. The report is not elaborative enough.
@koolexcrypto What elaboration is missing? If you remove Scenario 2 from #33 there are not much more words remaining than in my report. Whatever difference remains amounts to verbal fluff rather than facts. What specific relevant fact is missing? I feel like my report is being punished for the effort of making it more succinct.
#16 - koolexcrypto
2024-06-11T17:50:24Z
I'm not fan of the concept of punishing and there is no such thing in this case. Please understand that, when I read a report, some are easily understandable and some are not. Quality matter.
This is an example of missing elaboration:
By transferring ETH directly to the PrelaunchPoints contract before calling claimAndStake() on non-ETH tokens this ETH will be added to the claimedAmount = address(this).balance; and then deposited in lpETH and staked. The user is thus able to stake via claimAndStake() (or the amount claimed via claim()) for funds he had not locked.
When it is too short, the burden is on the reader to track the steps and understand it, this is due to the lack of clear steps. Clear steps are quality. In some contests, some judges mark such reports immediately as insufficient proof. I didn't, because luckily it had many dups.