search

code-423n4 / 2023-11-kelp-findings

13 stars 11 forks source link

Flash crash of a supported asset can be used for profiting by an attacker #695

Closed c4-submissions closed 11 months ago

c4-submissions commented 11 months ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/oracles/ChainlinkPriceOracle.sol#L38 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTOracle.sol#L45-L79 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L95-L110

Vulnerability details

Explanation

During flash crashes price oracles will return wrong values. Since the supported assets are really prone to this kind of crashes, this can be a problem in Kelp. When a user deposits an asset, the amount of rsETH tokens he will receive depends also in the price of the supported asset in the moment. 

        for (uint16 asset_idx; asset_idx < supportedAssetCount;) {
            address asset = supportedAssets[asset_idx];
            uint256 assetER = getAssetPrice(asset);

            uint256 totalAssetAmt = ILRTDepositPool(lrtDepositPoolAddr).getTotalAssetDeposits(asset);
            totalETHInPool += totalAssetAmt * assetER;

            unchecked {
                ++asset_idx;
            }
        }

        return totalETHInPool / rsEthSupply;
        rsethAmountToMint = (amount * lrtOracle.getAssetPrice(asset)) / lrtOracle.getRSETHPrice();

In case 1 of the 3 supported assets' oracle returns an incorrect price during a flash crash, attackers will be able to mint more rsETH tokens than they should.

Impact

Attackers may be able to mint more rsETH tokens than expected when flash crashes happen, allowing them to profit from it.

Proof of Concept

  1. stETH has a price of 100 and cbETH a price of 100 also.
  2. A flash crash happens in the Crypto space.
  3. Due to the flash crash, oracles start returning incorrect prices. Even if stETH price is 50 and cbETH price is also 50, the oracle is returning 25 and 50 respectively.
  4. Attacker sees the opportunity, and deposits cbETH into LRTDepositPool. Since the price the oracle returns for stETH is wrong, the totalETHInPool will be wrongly calculated. This will lead to lrtOracle.getRSETHPrice() returning a lower value than expected, therefore minting more rsETH tokens than expected to the attacker.
  5. The oracle's stability recovers, putting the price of stETH to 50.
  6. Attacker has gained more rsETH tokens than expected, which will be able to profit from.

Tools Used

Manual review.

Recommended Mitigation Steps

I would suggest using an off chain monitoring system for Chainlinks mioAnswer and maxAnswer in the price feeds and also having a min and max values that are "coherent" or "acceptable" when fetching prices on chain.

Assessed type

Oracle

c4-pre-sort commented 11 months ago

raymondfam marked the issue as sufficient quality report

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #32

c4-pre-sort commented 11 months ago

raymondfam marked the issue as duplicate of #468

c4-judge commented 10 months ago

fatherGoose1 marked the issue as unsatisfactory: Invalid