Open c4-submissions opened 11 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #43
raymondfam marked the issue as not a duplicate
raymondfam marked the issue as duplicate of #709
raymondfam marked the issue as duplicate of #294
raymondfam marked the issue as sufficient quality report
fatherGoose1 marked the issue as unsatisfactory: Invalid
fatherGoose1 changed the severity to QA (Quality Assurance)
fatherGoose1 marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/RSETH.sol#L47 https://github.com/code-423n4/2023-11-kelp/blob/main/src/NodeDelegator.sol#L51
Vulnerability details
Funds received from users deposits in LRTDepositPool are then transfered to NodeDelegator to delegate them to EigenLayer in order to generate yield . The problem here is that there is not a way to increase users RSETH balance or minting new tokens to users when a new yield is generated .
Impact
Users will not get yield generated by their funds in EigenLayer .
Proof of Concept
LRTDepositPool is the only to have
MINTER_ROLE
to mint new RSETH, but it does’t have a function to mint to users when they generated yield , it only mints when they deposit . Also RSETHbalanceOf()
function can’t be manipulated to increase the users balance when they generate yield .Tools Used
Manual Review
Recommended Mitigation Steps
increase users RSETH balance when their deposits generate yield from EigenLayer .
Assessed type
Other