c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/NodeDelegator.sol#L51-L68

Vulnerability details

Impact

Eigen Strategy can have a maxPerDeposit variable that limit the amount of assets that it accept per deposit. Upon depositing funds to a strategy with depositAssetIntoStrategy(), Nodelegator contract send all its asset balance to it. One can monitor NodeDelegator contracts and directly send it an asset to block deposit.

Proof of Concept

Bob is super rich and vows to destroy KelpDao at any cost.
Bob monitors every Nodedelagator contracts so he can frontrun any tranction that call depositAssetIntoStrategy() function and send enough assets to make it revert.

Tools Used

Manual review

Recommended Mitigation Steps

There is several ways to solve this:

specify the amount to deposit to a strategy
call the getter of maxPerDeposit variable and calculate the max amount that can be deposited.

Assessed type

Token-Transfer

c4-pre-sort commented 1 year ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 1 year ago

raymondfam marked the issue as duplicate of #103

c4-pre-sort commented 12 months ago

raymondfam marked the issue as duplicate of #471

c4-judge commented 11 months ago

fatherGoose1 marked the issue as unsatisfactory: Invalid

code-423n4 / 2023-11-kelp-findings

Node delagator can't deposit into strategy if balance of asset exceeds maxPerDeposit of the strategy. #309