Closed c4-submissions closed 11 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #42
raymondfam marked the issue as not a duplicate
raymondfam marked the issue as duplicate of #338
raymondfam marked the issue as duplicate of #879
A flash loan exploit would need to be executed atomically. The situation described in multiple separate steps/calls isn't going to work.
fatherGoose1 marked the issue as satisfactory
fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L119 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTOracle.sol#L56
Vulnerability details
Brief/Explanation
The first address to deposit rETH, stETH, or cbETH gets to mint up to the current limit at a 1:1 exchange rate with the help of a flashloan. Additionally, since the threshold of the minting has been reached, he would also have cause a temporary DOS until the manager increases the limit.
Impact
Every user who tries to mint rsETH in exchange for stETH, rETH, or cbETH is subjected to the exchange rate except the first minter. For the sake of this report, we'll call this person ALICE. According to the protocol's design, ALICE can deposit the aforementioned tokens in exchange for rsETH at 1:1 because totalSupply == 0. Taking it up a notch, Alice being the first minter can borrow ETH, stake it to get stETH, and mint up to 100_000 ether rsETH which is the current limit. Doing this will not only allow ALICE to mint an enormous amount of rsETH at 1:1, sell on a secondary market to make profit if possible, she can also cause others to be temporarily unable to mint rsETH until the current limit is raised.
Proof of Concept
Tools Used
Foundry, Kelp test files, manual Review
Recommendation
Mint at least 1 rsETH token during deployment or initialization to eliminate the first minting opportunity discussed above
Assessed type
Other