Closed c4-submissions closed 10 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as primary issue
Inadequate elaboration as described in #39 or #102.
Agree that this is a low-effort report.
fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L119-L144
Vulnerability details
Impact
The user can deposit and receive rseth tokens through the LRTDepositPool.depositAsset() function. The depositAsset() function calculates the rsethAmountMinted that the user will receive.
Proof of Concept
Let's say the user submitted a transaction via the depositAsset() function with uint256 depositAmount. The network was busy and his transaction was delayed for some time. During this time, market conditions have changed. The user may receive fewer rsETH tokens than expected.
Tools Used
Manual review
Recommended Mitigation Steps
You need to set the minimum number of tokens that the user wants to receive in the depositAsset() function.
Assessed type
Invalid Validation