LRTDepositPool.depositAsset relies on getRsETHAmountToMint to determine the amount of rsETH to mint. The first deposit can mint a minimal number of rsETH then donate LST tokens to the pool to grossly manipulate the rsETH price. When later depositor stakes into the pool they will lose their fund due to precision loss.
Proof of Concept
The root cause of the vulnerability is that the depositAsset function allows users to mint a realy small amount of rsETH at the initial stage (when rsETH supply is zero), exposing the pool to the exchange-rate inflation attack. Let us walk through the issue with the following scenario:
At initial pool condition, getRSETHPrice returns 1 ether. Alice initiates a LRTDepositPool.depositAsset call with a minimal amount of 1 stETH (price of approx. 1e18 ETH/stETH in base units) to mint roughly (1 * 1e18 / 1e18 = 1) rsETH.
Alice proceeds to transfer 1e18 stETH directly to the LRTDepositPool contract so that getTotalAssetDeposits now reads as 1 + 1e18. As a result, the getRSETHPrice call is manipulated to return an extremely high value since totalETHInPool was pumped up while rsEthSupply remains small. Given assetER stays unchanged at 1e18, getRSETHPrice now reads as (1 + 1e18) * 1e18 / 1 ~= 1e36.
As a result, Alice's 1 rsETH token now represents the entire stETH asset in the pool including the 0.99e18 stETH that belongs to Bob. Alice has effectively stolen Bob's fund. Furthermore, the rsETH price is now even pumped 2x higher since rsEthSupply stays the same while totalETHInPool has doubled, ensuring innevitable loss for future depositors.
Notice: Bob's deposit amount being higher than 0.99e18 will not save him from the loss since Alice can always sniff Bob transaction and frontruns him with the right donation amount described at step 2.
Tools Used
Manual Review
Recommended Mitigation Steps
Consider requiring a minimal amount of rsETH tokens to be minted for the first minter, so that the rsETH price can be more resistant to manipulation.
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L119-L144 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L109
Vulnerability details
Impact
LRTDepositPool.depositAsset
relies ongetRsETHAmountToMint
to determine the amount of rsETH to mint. The first deposit can mint a minimal number of rsETH then donate LST tokens to the pool to grossly manipulate the rsETH price. When later depositor stakes into the pool they will lose their fund due to precision loss.Proof of Concept
The root cause of the vulnerability is that the
depositAsset
function allows users to mint a realy small amount of rsETH at the initial stage (when rsETH supply is zero), exposing the pool to the exchange-rate inflation attack. Let us walk through the issue with the following scenario:At initial pool condition,
getRSETHPrice
returns 1 ether. Alice initiates aLRTDepositPool.depositAsset
call with a minimal amount of 1 stETH (price of approx. 1e18 ETH/stETH in base units) to mint roughly (1 * 1e18 / 1e18 = 1) rsETH.Alice proceeds to transfer 1e18 stETH directly to the
LRTDepositPool
contract so thatgetTotalAssetDeposits
now reads as1 + 1e18
. As a result, thegetRSETHPrice
call is manipulated to return an extremely high value sincetotalETHInPool
was pumped up whilersEthSupply
remains small. GivenassetER
stays unchanged at 1e18,getRSETHPrice
now reads as(1 + 1e18) * 1e18 / 1 ~= 1e36
.Bob joins the pool after Alice with 0.99e18 stETH. Due to the inflated rsETH price, he receives ZERO rsETH in return due to precision loss.
As a result, Alice's 1 rsETH token now represents the entire stETH asset in the pool including the 0.99e18 stETH that belongs to Bob. Alice has effectively stolen Bob's fund. Furthermore, the rsETH price is now even pumped 2x higher since
rsEthSupply
stays the same whiletotalETHInPool
has doubled, ensuring innevitable loss for future depositors.Notice: Bob's deposit amount being higher than 0.99e18 will not save him from the loss since Alice can always sniff Bob transaction and frontruns him with the right donation amount described at step 2.
Tools Used
Manual Review
Recommended Mitigation Steps
Consider requiring a minimal amount of rsETH tokens to be minted for the first minter, so that the rsETH price can be more resistant to manipulation.
Assessed type
Math