Open c4-submissions opened 11 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #38
fatherGoose1 changed the severity to QA (Quality Assurance)
fatherGoose1 marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L71-L89
Vulnerability details
Impact
The LRTDepositPool.sol contract provides an array of nodeDelegatorQueue, which includes NodeDelegator addresses. These addresses are used to provide asset amount distribution data among depositPool, NDCs and eigenLayer: https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L71-L89
Proof of Concept
Let's assume that one of the NodeDelegators had their keys compromised. Administrators lost access to it, assets were stolen. The contract has the ability to add a new NodeDelegator: https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L162-L176. However, there is no deletion option. The getAssetDistributionData() function uses all the NodeDelegators from the nodeDelegatorQueue array. This will cause assetLyingInNDCs to be calculated incorrectly in the getAssetDistributionData() function.
Tools Used
Manual review
Recommended Mitigation Steps
Add the ability to remove NodeDelegator from the nodeDelegatorQueue array
Assessed type
Context