Closed c4-submissions closed 11 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #62
fatherGoose1 marked the issue as satisfactory
fatherGoose1 changed the severity to 2 (Med Risk)
fatherGoose1 changed the severity to 3 (High Risk)
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L119-L144
Vulnerability details
Proof of Concept
When user would like to mint rsETH, then he can call
LRTDepositPool.depositAsset
function. First thing, that this function will do is sending tokens to theLRTDepositPool
from user. After that minting is done.Function
getRsETHAmountToMint
is responsible to calculate amount of rsETH that user is eligible to receive for the deposited amount of asset.https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L95-L110
It's calculated like eth amount that user has provided with deposited assets divided by price of rsETH. In order to calculate esETH price, we need to calculate total eth balance of all supported assets in the system and then divide it by total supply of rsETH. The more eth balance system has then the higher price of rsETH is.
LRTDepositPool.getTotalAssetDeposits
function is used to calculate asset balance of the system, which callsgetAssetDistributionData
function for asset. One part of system balance is holding ofLRTDepositPool
contract. Exactly this value is increased, once transfer from user is done during the deposit. As result balance is increased before rsETH price calculation, which means that price of rsETH will increase and user will receive smaller amount of rsETH. And the bigger amount user have deposited, then worse price he has.Impact
Depositors receive less amount of rsETH during the mint.
Tools Used
VsCode
Recommended Mitigation Steps
First you need to calculate rsETH price and then transfer deposited assets.
Assessed type
Error