Closed c4-submissions closed 10 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as primary issue
Attacker transfers 10 stETH directly to LRTDepositPool (without calling depositAsset, just through stETH contract). No one would do this non-economical attack because no shares were minted uinless you're doing this for donation attack as a first stacker.
fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/LRTDepositPool.sol#L132-L134 https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/LRTDepositPool.sol#L56-L58 https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/LRTDepositPool.sol#L47-L51 https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/LRTDepositPool.sol#L79
Vulnerability details
Impact
Malicious user is able to DoS the function
depositAsset
, by increasing the balance ofLRTDepositPool
for an underlying asset.Proof of Concept
There is a condition inside
depositAsset
which checks if the balance of the protocol for an underlying token is reached to the depositLimit (limit will be set by MANAGER role), thendepositAssets
doesn't let anyone to deposit that underlying asset:So imagine this scenario (See also getAssetCurrentLimit(), getTotalAssetDeposits(), getAssetDistributionData() and you see how
getAssetCurrentLimit
depends on balance ofLRTDepositPool
):depositLimit
ofstETH
is 10 (not real number, just an example).10 stETH
directly toLRTDepositPool
(without callingdepositAsset
, just through stETH contract).stETH.balanceOf(LRTDepositPool)
returns 10 and alsogetTotalAssetDeposits()
returns 10.getAssetCurrentLimit
returns 0, because:depositAssets
and wants to mint some amount ofrsETH
.MaximumDepositLimitReached
because the balance of protocol for assetstETH
is reached todepositLimit
and no one is able to mint any rsETH until the MANAGER callsupdateAssetDepositLimit
and set a higher limit.Tools Used
Manual Review
Recommended Mitigation Steps
Consider adding a mapping:
which stores how much asset is deposited through
depositAsset
.Assessed type
DoS