search

code-423n4 / 2023-11-kelp-findings

13 stars 11 forks source link

`setRSETH` will make holders lose their assets. #548

Closed c4-submissions closed 11 months ago

c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/ee1154fcb6f6619cdc9aeda27503d9a2cbf6d8eb/src/LRTConfig.sol#L144-L147

Vulnerability details

Impact

setRSETH will make holders lose their assets. It seems that it doesn't have compensation after setRSETH address is reset.

Proof of Concept

In LRTDepositPool, users deposit assets to get setRSETH.The issue is after users deposit, the rsETH address is still changeable. Once the rsETH address is changed, old holders will lose their funds, and the old address rsETH tokens become useless because there is no compensation mechanism.

Tools Used

manual

Recommended Mitigation Steps

Add compensation mechanism after rsETH address change

Assessed type

Access Control

c4-pre-sort commented 11 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #184

c4-judge commented 10 months ago

fatherGoose1 marked the issue as unsatisfactory: Invalid