search

code-423n4 / 2023-11-kelp-findings

13 stars 11 forks source link

Lack of withdraw function in `LRTDepositPool`. #553

Closed c4-submissions closed 11 months ago

c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/ee1154fcb6f6619cdc9aeda27503d9a2cbf6d8eb/src/LRTDepositPool.sol#L19

Vulnerability details

Impact

Lack of withdraw function in LRTDepositPool. Once user deposits token to LRTDepositPool he will lost his assets.

Proof of Concept

In LRTDepositPool, the user can only deposit tokens but he can't withdraw his assets. There is no other way to change rsEth back his assets. It will cost user assets to lose.

Tools Used

manual

Recommended Mitigation Steps

add withdraw logic

Assessed type

Context

c4-pre-sort commented 11 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #43

c4-judge commented 10 months ago

fatherGoose1 marked the issue as unsatisfactory: Invalid