Closed c4-submissions closed 11 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #62
fatherGoose1 marked the issue as satisfactory
fatherGoose1 changed the severity to 2 (Med Risk)
fatherGoose1 changed the severity to 3 (High Risk)
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L119 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L151 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L95 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTOracle.sol#L52 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L47
Vulnerability details
Impact
The miscalculation of the RsETH price leads to users receiving less than their rightful RsETH in
depositAsset()
.Proof of Concept
Within the
depositAsset()
function, when users deposit assets to mint RsETH, thersethAmountMinted
is incorrectly calculated. The process involves transferring a supported asset intoLRTDepositPool.sol
and then calling_mintRsETH().
The supported asset is transferred into the LRTDepositPool, then
_mintRsETH()
function calculatesrsethAmountToMint
usinggetRsETHAmountToMint()
based on the specific_asset
and its corresponding_amount
.Price of RsETH is calculated by total combined ETH value of all supported assets divide by RsRTH
totalSupply
. The root cause of this issue is in the calculation of RsETH price vialrtOracle.getRSETHPrice()
, where it iterates through supported assets to computetotalETHInPool
.Back in
LRTDepositPool.getTotalAssetDeposits()
, it combines the total asset present in protocol. The assets are located in 3 different contracts, LRTDpositPool.sol, NodeDelegator.sol and its corresponding EigenLayer strategy. This returns incorrect amount as user's asset was previously transferred into LRTDeposit.sol before calculating RsETH price. This miscalculation results in an inflated RsETH price, leading to a reducedrsethAmountToMint
.Tools Used
Manual Review
Recommended Mitigation Steps
Assessed type
Context