setRSETH will make holders lose their assets. It seems that it doesn't have compensation after setRSETH address is reset.
Proof of Concept
In LRTDepositPool, users deposit assets to get setRSETH.The issue is after users deposit, the rsETH address is still changeable.
Once the rsETH address is changed, old holders will lose their funds, and the old address rsETH tokens become useless because there is no compensation mechanism.
Tools Used
manual
Recommended Mitigation Steps
Add compensation mechanism after rsETH address change
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/ee1154fcb6f6619cdc9aeda27503d9a2cbf6d8eb/src/LRTConfig.sol#L144-L147
Vulnerability details
Impact
setRSETH
will make holders lose their assets. It seems that it doesn't have compensation aftersetRSETH
address is reset.Proof of Concept
In
LRTDepositPool
, users deposit assets to getsetRSETH
.The issue is after users deposit, thersETH
address is still changeable. Once thersETH
address is changed, old holders will lose their funds, and the old addressrsETH
tokens become useless because there is no compensation mechanism.Tools Used
manual
Recommended Mitigation Steps
Add compensation mechanism after
rsETH
address changeAssessed type
Access Control