Open c4-submissions opened 11 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as primary issue
raymondfam marked the issue as high quality report
gus-staderlabs (sponsor) disputed
The Eigenlayer has a 1-1 mapping for asset and its strategy. We don't believe this an issue with KelpDAO or its code but with Eigenlayer if it upgrades its protocol to have multiple strategies for an asset. Then if this occurs, KelpDAO will also have to upgrade its contracts to ensure the compatibility to Eigenlayer. Also, if Eigenlayer changes strategies, they are responsible to migrate the internal accounting to the new address.
Currently eigenlayer's implementation allows them to have multiple startegies for any asset. -> But we can continue to deposit into one strategy for a asset and it won't be a problem for us. That is assuming 1:1 mapping won't harm us.
Above assumptions will only create problem in case, eigen layer wants to spread the current funds into multiple strategies for any asset in future upgrades. And in this case, they will provide proper heads up ahead of time and we can upgrade along with them accordingly.
In case they change their strategy for any asset, we can point to new strategy address and it should work fine. And in this case eigen layer should should take care of all migration of funds from old to new strategy.
But as currently nothing has been decided at eigen layer end. I believe we are good with our current assumption of 1:1. It would be a overkill to assume anything else as of now.
Please check the attached conversation with eigen layer team. Discord: https://discord.com/channels/1089434273720832071/1096331191243788379
Kelp has provided adequate reasoning behind the current design. I agree that it is unlikely that a breaking change from the Eigenlayer protocol would not be properly communicated ahead of time. Designing around this potentiality would impose added risk in the current design.
fatherGoose1 marked the issue as unsatisfactory: Invalid
Hey, @fatherGoose1.
I disagree with the reasons provided above.
We don't believe this an issue with KelpDAO or its code but with Eigenlayer if it upgrades its protocol to have multiple strategies for an asset.
The problem lies specifically in how Kelp DAO upgrades the strategy for assets. Nothing related to the functionality of EigenLayer Strategies.
Let's view at the code of startegy upgradeing
function updateAssetStrategy(
address asset,
address strategy
)
external
onlyRole(DEFAULT_ADMIN_ROLE)
onlySupportedAsset(asset)
{
UtilLib.checkNonZeroAddress(strategy);
if (assetStrategy[asset] == strategy) {
revert ValueAlreadyInUse();
}
assetStrategy[asset] = strategy;
}
As we can see, when an EigenLayer Strategy for an asset is changed, there is currently no mechanism in place to migrate user deposits from the old strategy to the new one. It is precisely in this scenario that the vulnerability arises.
If a strategy update occurs, the function getTotalAssetDeposits(asset)
will show a reduced value for that asset. This reduction happens because the function references assets deposited in NodeDelegator. Specifically, NodeDelegator.sol#getAssetBalance()
assesses the asset balance based on the user's current strategy. When a strategy update takes place, the balance associated with the previous strategy is no longer considered, leading to a decrease in totalDeposits
. As a result, the share price of rsETH
decreases, prompting the system to mint more rsETH
shares for depositors. Consequently, depositors can make immediate deposits, gaining shares that are more valuable than the actual amount they deposited.
This vulnerability describe significant flaws in the KelpDAO protocol flow. Nothing related to the functionality of EigenLayer Strategies.
But as currently nothing has been decided at eigen layer end. I believe we are good with our current assumption of 1:1. It would be a overkill to assume anything else as of now.
The recommendations in this report do not make any assumptions about the implementation of 1:1 mapping. Instead, they specifically suggest updating the updateAssetStrategy()
function. in a way thet update would enable the transfer of user deposits from the old strategy to the new strategy once the new strategy is set. (as in my issue #644 writes)
I believe the issue has been misjudged and should be mitigated to High Severity Issue.
Have a good one.
@radeveth KelpDao will only update the strategy address when eigenLayer updates strategy for any asset (which eigenLayer currently has no plans as such).
Even if above scenario takes place. EigenLayer should provide proper communications ahead of time. And we can go through follow below steps:
if migration of contract state is not possible at eigenLayer and they(eigenlayer) decomission their old strategy, only in this scenario KelpDao will have to withdraw its funds from old strategy and redelgate it to new strategy. And these steps will be done in complete visibility and transparency with proper timelocks. But sees no harm or loss to funds or miscalculation.
This will be upgraded to MEDIUM.
The warden accurately explains how Kelp's internal accounting will be broken if they decide to use the updateAssetStrategy()
function. If Kelp changes the strategy address, rsETH share prices will decrease in a way that should not occur.
While Kelp describes the list of actions that they would take in the case they would need to change the strategy address, the implementation does not protect against the possibility of the broken accounting.
fatherGoose1 changed the severity to 2 (Med Risk)
Hey, @fatherGoose1.
This has been marked as medium, but it still has the unsatisfactory label.
Have a good one
fatherGoose1 marked the issue as satisfactory
fatherGoose1 marked the issue as selected for report
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTOracle.sol#L70 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L49 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L84 https://github.com/code-423n4/2023-11-kelp/blob/main/src/NodeDelegator.sol#L122-L123
Vulnerability details
Impact
If there is update in strategy,
getTotalAssetDeposits(asset)
will reduce for asset. Because it checks for the assets deposited in NodeDelegator. NodeDelegator.getAssetBalance() will check for asset balance for the strategy of the user. If strategy is updated, then the balance of old strategy won't be taken into account which will reduce the totalDeposits. This will reduce the rsETH share price and cause more rsETH shares to be minted for the depositors. Thus, depositors can immediately deposit and their shares are worth more than their deposit.Proof of Concept
Tools Used
Foundry
Recommended Mitigation Steps
While updating the strategy, ensure that balance deposited in previous strategy for same asset is accounted while minting the shares.
Assessed type
ERC4626