Closed c4-submissions closed 10 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #69
This wouldn't easily happen unless there were going to be some upgrades and migrations involved.
raymondfam marked the issue as not a duplicate
raymondfam marked the issue as primary issue
fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTConfig.sol#L144-L147
Vulnerability details
Impact
According to the current implementation, admin role can update
rsETH
address even if it already exists. This will lead to consistency issues. Since previous depositors will holdrsETH
tokens with previous address, their deposit will be considered useless since thosersETH
(old) doesn't have any reference in the codebase. Moreover, they won't be able to withdraw their deposits and all their assets will be locked into the contract.Proof of Concept
POC not needed.
Tools Used
Manual review
Recommended Mitigation Steps
Remove the mentioned function. If it's necessary, then update the
rsETH
implementation in such a way that depositors can migrate from oldrsETH
to newrsETH
in 1:1 ratio.Assessed type
Token-Transfer