Closed c4-submissions closed 11 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #116
fatherGoose1 changed the severity to QA (Quality Assurance)
fatherGoose1 marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L56 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTConfig.sol#L94
Vulnerability details
Impact
The function
getAssetCurrentLimit()
inLRTDepositPool
can unexpectedly revert on underflow under certain circuimstances, breaking expected behaviour.Proof of Concept
The function
getAssetCurrentLimit()
is responsible for returning the amount of asset the user can currently deposit. This is done by subtracting the current deposits from the current asset deposit limit and returning the resulthttps://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L56
The asset deposit limit can be set by the admin in
LRTConfig
'supdateAssetDepositLimit()
function.https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTConfig.sol#L94
Observe that, if the deposit limit is being reduced there is no check on whether the current deposits are more than the deposit limit, meaning that the deposit limit can become less than the current deposit amount. If this happens the result of the subtraction will be negative and the function
getAssetCurrentLimit()
will revert on underflow.Furthermore, an attacker can induce this bug by frontrunning a transaction that reduces the deposit limit. The attacker needs to deposit just over that new limit in a frontrunning transaction, breaking the behaviour for anyone calling
getAssetCurrentLimit()
with that same asset.Tools Used
Manual Review
Recommended Mitigation Steps
Before doing the subtraction, check if
lrtConfig.depositLimitByAsset(asset) < getTotalAssetDeposits(asset)
. If it is then return 0, otherwise return the result oflrtConfig.depositLimitByAsset(asset) - getTotalAssetDeposits(asset)
.Assessed type
Under/Overflow