LRTDepositPool receives the funds deposited by users into the Kelp product. From here, the funds are transferred to NodeDelegators contracts that delegate them to the EigenLayer strategy. The funds are then used to provide liquidity on the EigenLayer protocol . Users are also minted a receipt token RSETH. But the problem is there is no a withdraw function to get funds back from EigenLayer and transfer them to users .
Impact
Users will lost all their deposited tokens
Tools Used
Manual Review
Recommended Mitigation Steps
Implement a withdraw function to users withdraw their funds if needed .
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L19
Vulnerability details
LRTDepositPool receives the funds deposited by users into the Kelp product. From here, the funds are transferred to NodeDelegators contracts that delegate them to the EigenLayer strategy. The funds are then used to provide liquidity on the EigenLayer protocol . Users are also minted a receipt token RSETH. But the problem is there is no a withdraw function to get funds back from EigenLayer and transfer them to users .
Impact
Users will lost all their deposited tokens
Tools Used
Manual Review
Recommended Mitigation Steps
Implement a withdraw function to users withdraw their funds if needed .
Assessed type
Other