Closed c4-submissions closed 11 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #62
fatherGoose1 marked the issue as satisfactory
fatherGoose1 changed the severity to 2 (Med Risk)
fatherGoose1 changed the severity to 3 (High Risk)
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L119-L144 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L95-L110 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTOracle.sol#L52-L80
Vulnerability details
Impact
When a user mints rsETH, the price per share is determined by calculating the total value of all the assets held by the system. Before the user's shares are calculated, the DepositPool contract transfers the user's deposit amount to itself. That causes the asset amount to be inflated when the price per share is calculated which in turn decreases the shares the user receives.
Proof of Concept
When a user deposits assets into DepositPool, it'll first transfers those assets and then calculate the shares to mint:
To calculate the share price it uses the price of the asset and the price of rsETH which is the total value of all the underlying assets divided by the total supply of rsETH:
Given that the DepositPool holds 100 stETH, has minted 99 rsETH, and 1 stETH = 1 ETH, then
rsETH price = 100e18 * 1e18 / 99e18 = 1.010101e18
If a user now wants to deposit 1 stETH they should get:
1e18 * 1e18 / 1.010101e18 = 9.9000001e17
.But, because the deposit pool has first transferred the user's funds to itself, the rsETH price changes. Instead of holding 100 stETH it now holds 101 stETH:
101e18 * 1e18 / 99e18 = 1.020202e18
. Thus, the user will receive1e18 * 1e18 / 1.020202e18 = 9.8019804e17 rsETH
.The higher the deposit amount the higher the difference in rsETH minted.
Tools Used
none
Recommended Mitigation Steps
Calculate the user's rsETH shares before transferring the underlying asset to the deposit pool.
Assessed type
Math