Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Immense Hazel Copperhead - maxTokenAmountPerUser limit can be bypassed when currency token has less decimals than the launch token. #231

Open
sherlock-admin2 opened this issue Feb 19, 2025 · 0 comments
Open

Immense Hazel Copperhead - maxTokenAmountPerUser limit can be bypassed when currency token has less decimals than the launch token. #231

sherlock-admin2 opened this issue Feb 19, 2025 · 0 comments
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed

Comments

@sherlock-admin2
Copy link
Contributor

Immense Hazel Copperhead

High

maxTokenAmountPerUser limit can be bypassed when currency token has less decimals than the launch token.

Summary

Due to the incorrect comparison in the function updateParticipation, an attacker can bypass the maxTokenAmountPerUser limit, allowing them to allocate more tokens than allowed.

Root Cause

The updateParticipation function in the Launch.sol contract contains a critical vulnerability due to the incorrect comparison of userTokenAmount and additionalCurrencyAmount (and refundCurrencyAmount). This comparison can lead to incorrect calculations when the payment currency and the token have different decimal places. For example, USDC has 6 decimals, while a LaunchToken might have 18 decimals. Adding these values directly without proper normalization can result in incorrect calculations, allowing an attacker to allocate more tokens than the maxTokenAmountPerUser.

https://github.com/sherlock-audit/2025-02-rova/blob/main/rova-contracts/src/Launch.sol#L355-L368

Internal Pre-conditions

Using tokens with less decimals than the token being launched.

External Pre-conditions

Attacker needs to pass checks for the launch before being able to participate.

Attack Path

An attacker can exploit this vulnerability by:

  1. Initiating a participation with a small amount of tokens.
  2. Using the updateParticipation function to bypass the maxTokenAmountPerUser check due to the issue described above.

Impact

An attacker can bypass the maxTokenAmountPerUser limit, allowing them to allocate more tokens than allowed. This can lead to an unfair distribution of tokens and financial loss for other participants.

PoC

No response

Mitigation

Do the comparisons with request.tokenAmount .
@sherlock-admin3 sherlock-admin3 added Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed labels Mar 9, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
Sponsor Confirmed The sponsor acknowledged this issue is valid Will Fix The sponsor confirmed this issue will be fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sherlock-admin2 @sherlock-admin3