c4-pre-sort
commented
11 months ago raymondfam marked the issue as insufficient quality report
Closed c4-submissions closed 11 months ago
c4-pre-sort
commented
11 months ago raymondfam marked the issue as insufficient quality report
c4-pre-sort
commented
11 months ago raymondfam marked the issue as duplicate of #126
c4-judge
commented
10 months ago fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTConfig.sol#L73
Vulnerability details
Impact
Manager role can manipulate price of rsETH,
Proof of Concept
As Manager role can add new asset, he can add any scam asset with low liquidity which has high price, he will deposit few tokens of it also https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTConfig.sol#L73 rsETH price is calculated on basis on value of other asset supported here so scam asset with low liquidity which has high price will sure manipulate price of rsETH https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTOracle.sol#L71 So Manager can add scam asset with low liquidity which has high price which will influence price of rsETH
Recommended Mitigation Steps
Give power to admin to approve new asset added by manager.
Assessed type
Other