Open c4-submissions opened 11 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #36
fatherGoose1 changed the severity to QA (Quality Assurance)
fatherGoose1 marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L22 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L162 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L71 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTOracle.sol#L52 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L47
Vulnerability details
Impact
The
nodeDelegatorQueue
list inLRTDepositPool
can only grow in size and the function to add addresses to it does not check if any of them would be a duplicate address. If the admins by mistake push a duplicate value to this array it would lead to breaking core functionality of the protocol and leading to potential loss of funds.Proof of Concept
nodeDelegatorQueue
is a regular list of addresses. It is only possible to add new addresses to it. The functionaddNodeDelegatorContractToQueue()
has some input validation, checking if the number of addresses to be added exceeds the current limit and also if any of the addresses is a zero address.https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L22
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L162
This input validation is not enough, as the array should contain only unique values. There is no input validation to check if any of the values in the input
nodeDelegatorContracts
are duplicate within the array, or check if any of them is already contained in the array.This is a serious issue, as if accidentally a duplicate address is pushed this would break core functionality in the protocol. As an example let's take a look at the function
getAssetDistributionData()
:https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L71
This function returns the sum of an asset distributed along the Node Delegators and EigenLayer. If there is a duplicate value in the
nodeDelegatorQueue
array, the sum would contain that value twice, making it incorrect.Additionally
LRTOracle
'sgetRSETHPrice()
callsgetTotalAssetDeposits()
inLRTDepositPool
, which in turn callsgetAssetDistributionData()
. This means that in case this unwanted action happens, the oracle would return a wrong price, leading to possible loss of funds if abused.https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTOracle.sol#L52
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L47
Tools Used
Manual Review
Recommended Mitigation Steps
Before adding elements to the list add a check to see if any of the elements in the input array
nodeDelegatorContracts
are duplicate or if any element in the input arraynodeDelegatorContracts
is a duplicate of an element in thenodeDelegatorQueue
.Assessed type
Invalid Validation