search

code-423n4 / 2023-11-kelp-findings

13 stars 11 forks source link

User can't withdraw its tokens. #486

Closed c4-submissions closed 11 months ago

c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L119-L144

Vulnerability details

Impact

Users can't withdraw their tokens.

Proof of Concept

In LRTDepositPool.sol contract there is depositAsset() function, so users can transfer their LST tokens to the pool, however there is no withdraw() function and users can't withdraw their tokens back.

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L119-L144

Tools Used

Foundry, manual review.

Recommended Mitigation Steps

Consider to implement withdraw() functionality to allow user receive their tokens back.

Assessed type

Other

c4-pre-sort commented 11 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #43

c4-judge commented 11 months ago

fatherGoose1 marked the issue as unsatisfactory: Invalid