Open c4-submissions opened 10 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #36
fatherGoose1 changed the severity to QA (Quality Assurance)
fatherGoose1 marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L162
Vulnerability details
Impact
The function
addNodeDelegatorContractToQueue
doesn't check that any of the addresses to be added tonodeDelegatorQueue
are unique, meaning the same address could be mistakenly added to the queue multiple times. This would lead to incorrect accounting when callinggetTotalAssetDeposits
as the asset balance of a contract would be counted twice. This in turn would lead to the rsETH price being returned bygetRSETHPrice
being too high. This means that any users who deposit into the protocol afterward the issue would receive less than their fair share of rsETH while prior depositors would be able to redeem their rsETH for more than their fair share of assets.On top of this there is no way for the admins to remove a mistaken address from the
nodeDelegatorQueue
array so the contract would have to e redeployed to resolve the issue.Recommended Mitigation Steps
addNodeDelegatorContractToQueue
already has a non zero address check so it's recommended that a check is added to ensure an address being added isn't already in thenodeDelegatorQueue
array. This could be done by adding a state variablemapping (address => bool) public isNodeDelegatorContract
that is then checked and assigned inaddNodeDelegatorContractToQueue
.Assessed type
Invalid Validation