Closed c4-submissions closed 11 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #319
TotalAssetDeposits does not come into play till users start depositing LST where LSTs deposited by users will end up on that LST asset strategy contract in the Eigenlayer protocol.
fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTConfig.sol#L94-L104 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L56-L58
Vulnerability details
Summary
The method
updateAssetDepositLimit()
doesn't check the TotalAssetDeposits. It can be set as < TotalAssetDeposits.Vulnerability Details
The method
updateAssetDepositLimit()
sets the input amount as depositLimit for an asset. It doesn't check the total assets Deposited. If set incorrectly can causedepositAsset()
andgetAssetCurrentLimit()
to revert.POC Test
Add the following test in LRTDepositPoolTest.t.sol
POC Logs
Impact
If the depositLimit is set as < TotalAssetDeposits then
getAssetCurrentLimit()
will underflow. Which will causedepositAsset()
to revert.Recommendations
Ensure that depositLimit >= TotalAssetDeposits while setting in
updateAssetDepositLimit()
Assessed type
Under/Overflow