Skip to content

Latest commit

 

History

History
73 lines (48 loc) · 2.99 KB

065.md

File metadata and controls

73 lines (48 loc) · 2.99 KB

Kind Golden Otter

High

Improper Validation Checks Will Affect User Participation Limits

Summary

Launch::updateParticipation contains two issues where token amounts and currency amounts are incorrectly compared. These issues arise due to mismatched units (tokens vs. currency) in the validation logic, leading to flawed checks for minimum and maximum token allocation thresholds. This can result in users either bypassing or being incorrectly restricted by the allocation limits.

Root Cause

The root cause is the improper comparison of values denominated in different units (tokens and currency). Specifically:

  1. Minimum Token Allocation Check: The function compares userTokenAmount - refundCurrencyAmount (where userTokenAmount is in tokens and refundCurrencyAmount is in currency) against settings.minTokenAmountPerUser (in tokens).

https://github.com/sherlock-audit/2025-02-rova/blob/fe68ceb7d90693f9be5c7fb94dde130da8d60d9e/rova-contracts/src/Launch.sol#L355

  1. Maximum Token Allocation Check: The function compares userTokenAmount + additionalCurrencyAmount (where userTokenAmount is in tokens and additionalCurrencyAmount is in currency) against settings.maxTokenAmountPerUser (in tokens).

https://github.com/sherlock-audit/2025-02-rova/blob/fe68ceb7d90693f9be5c7fb94dde130da8d60d9e/rova-contracts/src/Launch.sol#L368

These comparisons are invalid because they mix units, leading to incorrect validation logic.

Internal Pre-conditions

  1. A user have an existing participation he want to update

External Pre-conditions

  1. Signer sign a valid update request

Attack Path

none

Impact

  1. Flawed Minimum Allocation Check:

    • Users may bypass the minimum token allocation requirement, allowing them to participate with fewer tokens than intended.
    • Users may be incorrectly prevented from adjusting their participation even if they meet the minimum token threshold.

  2. Flawed Maximum Allocation Check:

    • Users may be improperly restricted from increasing their participation, even if they are within the correct token limits.
    • The function may fail to enforce the maximum token allocation, allowing users to exceed the allowed limit.

PoC

No response

Mitigation

To resolve these issues, ensure that all comparisons are performed in the correct unit (tokens):

  1. Fix for Minimum Token Allocation Check: Replace the incorrect comparison with:

    if (request.tokenAmount < settings.minTokenAmountPerUser) {
    revert MinUserTokenAllocationNotReached(
        request.launchGroupId, request.userId, userTokenAmount, request.tokenAmount
    );
}

  2. Fix for Maximum Token Allocation Check: Replace the incorrect comparison with:

    uint256 totalTokenAmount = request.tokenAmount;
if (totalTokenAmount > settings.maxTokenAmountPerUser) {
    revert MaxUserTokenAllocationReached(
        request.launchGroupId, request.userId, userTokenAmount, request.tokenAmount
    );
}