Impact
The vulnerability allows users to manipulate the rseth price by directly transferring assets to the deposit pool or node delegator contracts.
By increasing the totalAssetAmt used in the price calculation, users can artificially inflate the rseth price and potentially earn profits from this manipulation.
Proof of Concept
For example, let's assume the current asset price is denoted as p. Now, a user transfers an amount x of assets to the deposit pool.
User's cost for the transferred assets would be p*x.
Before the transfer, the rseth total supply is denoted as t, and the price of rseth is represented as rp.
Here is the code rseth price can be inflated.
After the transfer, the new rseth price, denoted as rsethPrice_new, can be calculated using the following formula:
rsethPrice_new = rp * (1 + (p*x) / t)
Here is the code snippet of getAssetDistributionData function.
Both assetLyingInDepositPool and assetLyingInNDCs can be manipulated.
If the getRSETHPrice() function is used as the rseth price oracle, the user can easily manipulate the rseth price by directly transferring assets to the deposit pool.
By transferring a specific amount of assets, the user can influence the calculation and potentially earn profits from the manipulated rseth price.
Recommended Mitigation Steps
Use custom storage to store the asset balance instead of simple IERC20.balanceOf
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L71 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTOracle.sol#L52
Vulnerability details
Impact The vulnerability allows users to manipulate the rseth price by directly transferring assets to the deposit pool or node delegator contracts. By increasing the
totalAssetAmt
used in the price calculation, users can artificially inflate the rseth price and potentially earn profits from this manipulation. Proof of Concept For example, let's assume the current asset price is denoted asp
. Now, a user transfers an amountx
of assets to the deposit pool. User's cost for the transferred assets would bep*x
. Before the transfer, the rseth total supply is denoted ast
, and the price of rseth is represented asrp
. Here is the code rseth price can be inflated.After the transfer, the new rseth price, denoted as
rsethPrice_new
, can be calculated using the following formula:rsethPrice_new = rp * (1 + (p*x) / t)
Here is the code snippet ofgetAssetDistributionData
function. BothassetLyingInDepositPool
andassetLyingInNDCs
can be manipulated.If the
getRSETHPrice()
function is used as the rseth price oracle, the user can easily manipulate the rseth price by directly transferring assets to the deposit pool. By transferring a specific amount of assets, the user can influence the calculation and potentially earn profits from the manipulated rseth price.Recommended Mitigation Steps Use custom storage to store the asset balance instead of simple
IERC20.balanceOf
Assessed type
Other