Closed c4-submissions closed 11 months ago
raymondfam marked the issue as sufficient quality report
raymondfam marked the issue as duplicate of #32
raymondfam marked the issue as duplicate of #468
fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L38 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTOracle.sol#L45-L79 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L95-L110
Vulnerability details
Explanation
During flash crashes price oracles will return wrong values. Since the supported assets are really prone to this kind of crashes, this can be a problem in Kelp. When a user deposits an asset, the amount of rsETH tokens he will receive depends also in the price of the supported asset in the moment.
In case 1 of the 3 supported assets' oracle returns an incorrect price during a flash crash, attackers will be able to mint more rsETH tokens than they should.
Impact
Attackers may be able to mint more rsETH tokens than expected when flash crashes happen, allowing them to profit from it.
Proof of Concept
LRTDepositPool
. Since the price the oracle returns for stETH is wrong, thetotalETHInPool
will be wrongly calculated. This will lead tolrtOracle.getRSETHPrice()
returning a lower value than expected, therefore minting more rsETH tokens than expected to the attacker.Tools Used
Manual review.
Recommended Mitigation Steps
I would suggest using an off chain monitoring system for Chainlinks mioAnswer and maxAnswer in the price feeds and also having a min and max values that are "coherent" or "acceptable" when fetching prices on chain.
Assessed type
Oracle