This bug is different from the first depositor bug.
So when an attacker/one transfers tokens(supported assets) directly to the LRTDepositPool, the function getRSETHPrice() will return an inflated value because totalETHInPool will increase .
Now when a user calls the function depositAsset , they will get less minted rsETH because the function getRSETHPrice() is inflated which is unfair.
Tools Used
manual review
Recommended Mitigation Steps
Create a state variable for totalETHInPool for accounting in LRTDepositPool.
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTOracle.sol#L78
Vulnerability details
Proof of Concept
This bug is different from the first depositor bug. So when an attacker/one transfers tokens(supported assets) directly to the LRTDepositPool, the function getRSETHPrice() will return an inflated value because totalETHInPool will increase . Now when a user calls the function depositAsset , they will get less minted rsETH because the function getRSETHPrice() is inflated which is unfair.
Tools Used
manual review
Recommended Mitigation Steps
Create a state variable for totalETHInPool for accounting in LRTDepositPool.
Assessed type
Math