The problem is that an attacker can manipulate price of rseth and other users when depositng may get 0 rseth.
Proof of Concept
By minting a small amount of rseth and then transferring a large amount of another asset, the attacker can significantly distort the calculated rseth price. Subsequently, when other users attempt to deposit their assets, they won't receive the correct amount of rseth due to the inflated price.
getTotalAssetDeposits() uses balanceOf() to fetch balances of the contracts
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTOracle.sol#L52-L76 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L109 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L141
Vulnerability details
Impact
In deposit() function _mintRsETH() uses following formula to calculate how much rseth should be minted
The problem is that an attacker can manipulate price of rseth and other users when depositng may get 0 rseth.
Proof of Concept
By minting a small amount of rseth and then transferring a large amount of another asset, the attacker can significantly distort the calculated rseth price. Subsequently, when other users attempt to deposit their assets, they won't receive the correct amount of rseth due to the inflated price.
getTotalAssetDeposits() uses balanceOf() to fetch balances of the contracts
Tools Used
Manual Review
Recommended Mitigation Steps
Consider not using balanceOf for price calculation
Assessed type
Oracle