rsETH tokens will be useless if admin updates the rsETH address in LRTConfig

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTConfig.sol#L144-L147

Vulnerability details

Impact

According to the current implementation, admin role can update rsETH address even if it already exists. This will lead to consistency issues. Since previous depositors will hold rsETH tokens with previous address, their deposit will be considered useless since those rsETH(old) doesn't have any reference in the codebase. Moreover, they won't be able to withdraw their deposits and all their assets will be locked into the contract.

Proof of Concept

POC not needed.

Tools Used

Manual review

Recommended Mitigation Steps

Remove the mentioned function. If it's necessary, then update the rsETH implementation in such a way that depositors can migrate from old rsETH to new rsETH in 1:1 ratio.

Assessed type

Token-Transfer

[c4-pre-sort]

raymondfam marked the issue as insufficient quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #69

[raymondfam]

This wouldn't easily happen unless there were going to be some upgrades and migrations involved.

[c4-pre-sort]

raymondfam marked the issue as not a duplicate

[c4-pre-sort]

raymondfam marked the issue as primary issue

[c4-judge]

fatherGoose1 marked the issue as unsatisfactory: Invalid