Closed c4-submissions closed 10 months ago
raymondfam marked the issue as insufficient quality report
Invalid assumptions. It's meant for the first depositor to avoid division by zero when minting shares.
raymondfam marked the issue as primary issue
fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTOracle.sol#L56
Vulnerability details
Handling Zero Supply Case: If the rsETH supply is zero, it returns a default value of 1 ether. Even if there were no RSETH tokens minted or the whole of RSETH was burnt in the future. You still can redeem ETH with RSETH as 1 to 1.
Impact
RSETH can be forcefully pegged ETH price as 1 to 1, hardcoding RSETH actual value gaining more ETH than actual price when it is worth 0.
Proof of Concept
In
LRTOracle::getRSETHPrice()
Tools Used
Manual Review
Recommended Mitigation Steps
Remove hardcoded value
Assessed type
Rug-Pull