Closed c4-submissions closed 11 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #197
fatherGoose1 marked the issue as unsatisfactory: Invalid
fatherGoose1 changed the severity to 2 (Med Risk)
fatherGoose1 marked the issue as satisfactory
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/NodeDelegator.sol#L59 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/NodeDelegator.sol#L122
Vulnerability details
Impact
The NodeDelegator contract tracks asset balance deployed into EigenStrategy configured in lrtConfig contract. The strategy however can be changed with LRTConfig::updateAssetStrategy(). If assets are deployed in one strategy and that strategy is updated then the previously deployed assets will no longer be tracked by NodeDelegator::getAssetBalance() which will eventually cause a mispricing of rsETH in LRTOracle::getRSETHPrice()
Tools Used
Manual Review
Recommended Mitigation Steps
Move assets from old to new strategy when updating strategies.
Assessed type
Other