In LRTDepositPool.depositAsset function : when a user deposits a supported LST asset in the deposit pool, he will be minted share rsETH tokens proportional to the deposited amount and the asset price.
And as per the the price calculations, the depositor will almost get an amount of share tokens (rsETH) equivalent to the amount of the deposited asset:
LRTDepositPool.getRsETHAmountToMint function/L109
where lrtOracle.getRSETHPrice() is totalETHInPool / rsEthSupply.
But this function is missing the slippage parameter (minimum amount of share tokens to be minted) that ensures the user gets a fair amount of shares (as the rsETH price calculation might be affected if the deposit pool receives a direct LST transfers without going through the depositing process-minting of rsETH).
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L151-L157 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L109
Vulnerability details
Impact
In
LRTDepositPool.depositAsset
function : when a user deposits a supported LST asset in the deposit pool, he will be minted sharersETH
tokens proportional to the deposited amount and the asset price.And as per the the price calculations, the depositor will almost get an amount of share tokens (
rsETH
) equivalent to the amount of the deposited asset: LRTDepositPool.getRsETHAmountToMint function/L109where
lrtOracle.getRSETHPrice()
istotalETHInPool / rsEthSupply
.But this function is missing the slippage parameter (minimum amount of share tokens to be minted) that ensures the user gets a fair amount of shares (as the
rsETH
price calculation might be affected if the deposit pool receives a direct LST transfers without going through the depositing process-minting ofrsETH
).Proof of Concept
LRTDepositPool._mintRsETH function
LRTDepositPool.getRsETHAmountToMint function/L109
Tools Used
Manual Review.
Recommended Mitigation Steps
In
depositAsset
function: add a_minShareAmount
parameter as a slippage protection:Assessed type
Context