The DEFAULT_ADMIN_ROLE is as well the onlyLRTadmin which is in charge of unpausing the LRTDeposit as well as updateMaxNodeDelegatorCount. The DEFAULT_ADMIN_ROLE role has the ability of adding and removing other roles.
The project has not stated whether the DEFAULT_ADMIN_ROLE will be a Timelock Contract which would make sense in this case.
I would advise to either state clearly if this role would be given to the Timelock Contract or add another unpauser role.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/LRTDepositPool.sol#L212-L215
Vulnerability details
Impact
The
DEFAULT_ADMIN_ROLE
is as well theonlyLRTadmin
which is in charge of unpausing theLRTDeposit
as well asupdateMaxNodeDelegatorCount
. TheDEFAULT_ADMIN_ROLE
role has the ability of adding and removing other roles.The project has not stated whether the
DEFAULT_ADMIN_ROLE
will be a Timelock Contract which would make sense in this case.I would advise to either state clearly if this role would be given to the Timelock Contract or add another
unpauser
role.Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
Tools Used
Recommended Mitigation Steps
Assessed type
Access Control