c4-pre-sort
commented
11 months ago raymondfam marked the issue as insufficient quality report
Closed c4-submissions closed 11 months ago
c4-pre-sort
commented
11 months ago raymondfam marked the issue as insufficient quality report
c4-pre-sort
commented
11 months ago raymondfam marked the issue as duplicate of #284
c4-pre-sort
commented
11 months ago raymondfam marked the issue as duplicate of #584
c4-judge
commented
10 months ago fatherGoose1 marked the issue as unsatisfactory: Invalid
c4-judge
commented
10 months ago fatherGoose1 marked the issue as partial-50
fatherGoose1
commented
10 months ago The core impact is correct, but very little explanation or recommended mitigation steps are provided.
c4-judge
commented
10 months ago fatherGoose1 changed the severity to 3 (High Risk)
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L116-L144
Vulnerability details
Impact
User may deposit low value asset in order to get high value asset, high value asset depositor will suffer loss.
Proof of Concept
User deposits asset and receives RSETH, when withdraw (in the future when it's implemented), it's highly likely that user will not get the same asset back, for that the contract simply mints RSETH to user, but not save the asset user deposits.
The assets used to deposit have different prices, so users are tempted to deposit low value asset in order to withdraw high value asset. High value asset depositors will suffer loss if they are unable to withdraw the same asset as they deposit.
Tools Used
Manual Review
Recommended Mitigation Steps
Please consider to save user's depositing asset, so user can withdraw the same asset.
Assessed type
MEV