LRTOracle, NodeDelegator, LRTDepositPool inherits from PausableUpgradeable which implies, that these contracts can be paused.
However, some functions from these contracts can be called even when the contract is in a paused state.
Paused state suggests that there shouldn't be any actions nor changes on the current, paused contract.
Proof of Concept
LRTOracle.sol
Function updatePriceOracleFor() does not implement whenNotPaused modifier. It's possible to add/update the price oracle of any supported asset even when the contract is in the paused state.
NodeDelegator.sol
Function maxApproveToEigenStrategyManager() does not implement whenNotPaused modifier. It allows to approve the maximum amount of asset to the Eigen strategy manager, even, when the contract is in the paused state.
LRTDepositPool.sol
Function addNodeDelegatorContractToQueue() does not implement whenNotPaused modifier. It's possible to add new node delegator contract addresses, even when the contract is in the paused state.
Function transferAssetToNodeDelegator() does not implement whenNotPaused modifier. It's possible to transfer asset lying in DepositPool to NodeDelegator contract, even, when the contract is in the paused state.
Function updateMaxNodeDelegatorCount() does not implement whenNotPaused modifier. It allows to update the max node delegator count, even, when the contract is in the paused state.
Tools Used
Manual code review
Recommended Mitigation Steps
Implement whenNotPaused modifier for mentioned functions
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTOracle.sol#L88 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/NodeDelegator.sol#L38 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L183 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L202 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L162
Vulnerability details
Impact
LRTOracle
,NodeDelegator
,LRTDepositPool
inherits fromPausableUpgradeable
which implies, that these contracts can be paused. However, some functions from these contracts can be called even when the contract is in a paused state. Paused state suggests that there shouldn't be any actions nor changes on the current, paused contract.Proof of Concept
LRTOracle.sol
Function
updatePriceOracleFor()
does not implementwhenNotPaused
modifier. It's possible to add/update the price oracle of any supported asset even when the contract is in the paused state.NodeDelegator.sol
Function
maxApproveToEigenStrategyManager()
does not implementwhenNotPaused
modifier. It allows to approve the maximum amount of asset to the Eigen strategy manager, even, when the contract is in the paused state.LRTDepositPool.sol
Function
addNodeDelegatorContractToQueue()
does not implementwhenNotPaused
modifier. It's possible to add new node delegator contract addresses, even when the contract is in the paused state.Function
transferAssetToNodeDelegator()
does not implementwhenNotPaused
modifier. It's possible to transfer asset lying in DepositPool to NodeDelegator contract, even, when the contract is in the paused state.Function
updateMaxNodeDelegatorCount()
does not implementwhenNotPaused
modifier. It allows to update the max node delegator count, even, when the contract is in the paused state.Tools Used
Manual code review
Recommended Mitigation Steps
Implement
whenNotPaused
modifier for mentioned functionsAssessed type
Access Control