Closed c4-submissions closed 11 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #62
fatherGoose1 marked the issue as satisfactory
fatherGoose1 changed the severity to 2 (Med Risk)
fatherGoose1 changed the severity to 3 (High Risk)
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L136 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L136 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L79
Vulnerability details
Impact
Depositors will get less rsETH than designed, especially when
depositAmount
is big and there are few assets in the protocol.Proof of Concept
In
depositAsset
, we first calltransferFrom
to transfer the asset into the pool, and then call_mintRsETH
to mint rsETH:In
_mintRsETH
, the rsETH amount is calculated fromgetRsETHAmountToMint
, which callslrtOracle.getRSETHPrice()
:In
getRSETHPrice
, is rsETH supply is not zero, we calculate the price usingtotalETHInPool / rsEthSupply
wheretotalETHInPool
is the total assets value in the protocol:The assets value in the pool will also be taken into account:
So the problem is:
So, the rsETH price will increase after the transfer of the assets and before the rsETH tokens are minted, which leads to fewer rsETH tokens for the depositor, especially when the deposit is big and there are few assets in the protocol, in which case the rsETH price will increase a lot.
Tools Used
Manual Review.
Recommended Mitigation Steps
Assessed type
Context