search

code-423n4 / 2023-11-kelp-findings

13 stars 11 forks source link

Depositor receives smaller amount of rsETH token because of transfer before price calculation #200

Closed c4-submissions closed 11 months ago

c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L119-L144

Vulnerability details

Proof of Concept

When user would like to mint rsETH, then he can call LRTDepositPool.depositAsset function. First thing, that this function will do is sending tokens to the LRTDepositPool from user. After that minting is done.

Function getRsETHAmountToMint is responsible to calculate amount of rsETH that user is eligible to receive for the deposited amount of asset.

https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L95-L110

    function getRsETHAmountToMint(
        address asset,
        uint256 amount
    )
        public
        view
        override
        returns (uint256 rsethAmountToMint)
    {
        // setup oracle contract
        address lrtOracleAddress = lrtConfig.getContract(LRTConstants.LRT_ORACLE);
        ILRTOracle lrtOracle = ILRTOracle(lrtOracleAddress);

        // calculate rseth amount to mint based on asset amount and asset exchange rate
        rsethAmountToMint = (amount * lrtOracle.getAssetPrice(asset)) / lrtOracle.getRSETHPrice();
    }

It's calculated like eth amount that user has provided with deposited assets divided by price of rsETH. In order to calculate esETH price, we need to calculate total eth balance of all supported assets in the system and then divide it by total supply of rsETH. The more eth balance system has then the higher price of rsETH is.

LRTDepositPool.getTotalAssetDeposits function is used to calculate asset balance of the system, which calls getAssetDistributionData function for asset. One part of system balance is holding of LRTDepositPool contract. Exactly this value is increased, once transfer from user is done during the deposit. As result balance is increased before rsETH price calculation, which means that price of rsETH will increase and user will receive smaller amount of rsETH. And the bigger amount user have deposited, then worse price he has.

Impact

Depositors receive less amount of rsETH during the mint.

Tools Used

VsCode

Recommended Mitigation Steps

First you need to calculate rsETH price and then transfer deposited assets.

Assessed type

Error

c4-pre-sort commented 11 months ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #62

c4-judge commented 10 months ago

fatherGoose1 marked the issue as satisfactory

c4-judge commented 10 months ago

fatherGoose1 changed the severity to 2 (Med Risk)

c4-judge commented 10 months ago

fatherGoose1 changed the severity to 3 (High Risk)