c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L119-L144 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L151-L157 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L95-L110 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTOracle.sol#L46

Vulnerability details

Impact

Users can lose all funds when calling depositAsset on the LRTDepositPool.

Proof of Concept

Alice wants to deposit 1 ETH into a strategy calling depositAsset

function depositAsset(
address asset,
uint256 depositAmount
)
external
whenNotPaused
nonReentrant
onlySupportedAsset(asset)
{
// checks
if (depositAmount == 0) {
    revert InvalidAmount();
}
if (depositAmount > getAssetCurrentLimit(asset)) {
    revert MaximumDepositLimitReached();
}

if (!IERC20(asset).transferFrom(msg.sender, address(this), depositAmount)) {
    revert TokenTransferFailed();
}

// interactions
uint256 rsethAmountMinted = _mintRsETH(asset, depositAmount);

emit AssetDeposit(asset, depositAmount, rsethAmountMinted);
}

This will further call the _mintRsETH which calls getRsETHAmountToMint

function _mintRsETH(address _asset, uint256 _amount) private returns (uint256 rsethAmountToMint) {
(rsethAmountToMint) = getRsETHAmountToMint(_asset, _amount);

address rsethToken = lrtConfig.rsETH();
// mint rseth for user
IRSETH(rsethToken).mint(msg.sender, rsethAmountToMint);
}

function getRsETHAmountToMint(
address asset,
uint256 amount
)
public
view
override
returns (uint256 rsethAmountToMint)
{
// setup oracle contract
address lrtOracleAddress = lrtConfig.getContract(LRTConstants.LRT_ORACLE);
ILRTOracle lrtOracle = ILRTOracle(lrtOracleAddress);

// calculate rseth amount to mint based on asset amount and asset exchange rate
rsethAmountToMint = (amount * lrtOracle.getAssetPrice(asset)) / lrtOracle.getRSETHPrice();
}

We are interested in the last line where the rsethAmountToMint is calculated
if lrtOracle.getAssetPrice(asset) returns 0, the rsethAmountToMint will be 0 and zero rsETH will be minted to the depositor causing him to lose all funds.

Tools Used

VS Code

Recommended Mitigation Steps

Make sure that the amount of ETH to mint is not 0.

function _mintRsETH(address _asset, uint256 _amount) private returns (uint256 rsethAmountToMint) {
    (rsethAmountToMint) = getRsETHAmountToMint(_asset, _amount);
+   require(rsethAmountToMint != 0, "Cannot mint 0 ether");

    address rsethToken = lrtConfig.rsETH();
    // mint rseth for user
    IRSETH(rsethToken).mint(msg.sender, rsethAmountToMint);
}

Assessed type

Oracle

c4-pre-sort commented 11 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #168

c4-judge commented 10 months ago

fatherGoose1 changed the severity to QA (Quality Assurance)