c4-pre-sort
commented
10 months ago raymondfam marked the issue as insufficient quality report
Open c4-submissions opened 10 months ago
c4-pre-sort
commented
10 months ago raymondfam marked the issue as insufficient quality report
c4-pre-sort
commented
10 months ago raymondfam marked the issue as duplicate of #36
c4-judge
commented
10 months ago fatherGoose1 changed the severity to QA (Quality Assurance)
c4-judge
commented
10 months ago fatherGoose1 marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L162
Vulnerability details
Impact
The function
addNodeDelegatorContractToQueuedoesn't check that any of the addresses to be added tonodeDelegatorQueueare unique, meaning the same address could be mistakenly added to the queue multiple times. This would lead to incorrect accounting when callinggetTotalAssetDepositsas the asset balance of a contract would be counted twice. This in turn would lead to the rsETH price being returned bygetRSETHPricebeing too high. This means that any users who deposit into the protocol afterward the issue would receive less than their fair share of rsETH while prior depositors would be able to redeem their rsETH for more than their fair share of assets.On top of this there is no way for the admins to remove a mistaken address from the
nodeDelegatorQueuearray so the contract would have to e redeployed to resolve the issue.Recommended Mitigation Steps
addNodeDelegatorContractToQueuealready has a non zero address check so it's recommended that a check is added to ensure an address being added isn't already in thenodeDelegatorQueuearray. This could be done by adding a state variablemapping (address => bool) public isNodeDelegatorContractthat is then checked and assigned inaddNodeDelegatorContractToQueue.Assessed type
Invalid Validation