Closed c4-submissions closed 11 months ago
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L119-L144
Users can't withdraw their tokens.
In LRTDepositPool.sol contract there is depositAsset() function, so users can transfer their LST tokens to the pool, however there is no withdraw() function and users can't withdraw their tokens back.
LRTDepositPool.sol
depositAsset()
withdraw()
Foundry, manual review.
Consider to implement withdraw() functionality to allow user receive their tokens back.
Other
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #43
fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L119-L144
Vulnerability details
Impact
Users can't withdraw their tokens.
Proof of Concept
In
LRTDepositPool.sol
contract there isdepositAsset()
function, so users can transfer their LST tokens to the pool, however there is nowithdraw()
function and users can't withdraw their tokens back.https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L119-L144
Tools Used
Foundry, manual review.
Recommended Mitigation Steps
Consider to implement
withdraw()
functionality to allow user receive their tokens back.Assessed type
Other