Closed c4-submissions closed 11 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #284
raymondfam marked the issue as duplicate of #584
fatherGoose1 marked the issue as unsatisfactory: Invalid
fatherGoose1 marked the issue as partial-50
The core impact is correct, but very little explanation or recommended mitigation steps are provided.
fatherGoose1 changed the severity to 3 (High Risk)
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L116-L144
Vulnerability details
Impact
User may deposit low value asset in order to get high value asset, high value asset depositor will suffer loss.
Proof of Concept
User deposits asset and receives RSETH, when withdraw (in the future when it's implemented), it's highly likely that user will not get the same asset back, for that the contract simply mints RSETH to user, but not save the asset user deposits.
The assets used to deposit have different prices, so users are tempted to deposit low value asset in order to withdraw high value asset. High value asset depositors will suffer loss if they are unable to withdraw the same asset as they deposit.
Tools Used
Manual Review
Recommended Mitigation Steps
Please consider to save user's depositing asset, so user can withdraw the same asset.
Assessed type
MEV