search

code-423n4 / 2023-11-kelp-findings

13 stars 11 forks source link

Changing asset strategy leaves funds in old strategy untracked #649

Closed c4-submissions closed 11 months ago

c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/NodeDelegator.sol#L59 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/NodeDelegator.sol#L122

Vulnerability details

Impact

The NodeDelegator contract tracks asset balance deployed into EigenStrategy configured in lrtConfig contract. The strategy however can be changed with LRTConfig::updateAssetStrategy(). If assets are deployed in one strategy and that strategy is updated then the previously deployed assets will no longer be tracked by NodeDelegator::getAssetBalance() which will eventually cause a mispricing of rsETH in LRTOracle::getRSETHPrice()

Tools Used

Manual Review

Recommended Mitigation Steps

Move assets from old to new strategy when updating strategies.

Assessed type

Other

c4-pre-sort commented 11 months ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #197

c4-judge commented 10 months ago

fatherGoose1 marked the issue as unsatisfactory: Invalid

c4-judge commented 10 months ago

fatherGoose1 changed the severity to 2 (Med Risk)

c4-judge commented 10 months ago

fatherGoose1 marked the issue as satisfactory