search

code-423n4 / 2023-11-kelp-findings

13 stars 11 forks source link

User may receive fewer RSETH tokens due to slippage #556

Closed c4-submissions closed 10 months ago

c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L119-L144

Vulnerability details

Impact

The user can deposit and receive rseth tokens through the LRTDepositPool.depositAsset() function. The depositAsset() function calculates the rsethAmountMinted that the user will receive.

Proof of Concept

Let's say the user submitted a transaction via the depositAsset() function with uint256 depositAmount. The network was busy and his transaction was delayed for some time. During this time, market conditions have changed. The user may receive fewer rsETH tokens than expected.

Tools Used

Manual review

Recommended Mitigation Steps

You need to set the minimum number of tokens that the user wants to receive in the depositAsset() function.

Assessed type

Invalid Validation

c4-pre-sort commented 11 months ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as primary issue

raymondfam commented 11 months ago

Inadequate elaboration as described in #39 or #102.

fatherGoose1 commented 10 months ago

Agree that this is a low-effort report.

c4-judge commented 10 months ago

fatherGoose1 marked the issue as unsatisfactory: Invalid