Open c4-submissions opened 11 months ago
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #36
fatherGoose1 changed the severity to QA (Quality Assurance)
fatherGoose1 marked the issue as grade-b
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L82-L88 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L162-L176
Vulnerability details
Impact
The current implementation of the
LRTDepositPool
contract does not include a function to remove aNodeDelegator
from thenodeDelegatorQueue
. This absence presents a risk if an externally owned account (EOA) or an incompatible contract is mistakenly added to the queue. Such an error would disrupt key functions that rely ongetAssetDistributionData
, as this function attempts to callgetAssetBalance
on eachNodeDelegator
in the queue. Affected functions: LRTDepositPool:getTotalAssetDeposits
,getRsETHAmountToMint
,depositAsset
LRTOracle:getRSETHPrice
Proof of Concept
The issue arises due to the iteration over
nodeDelegatorQueue
ingetAssetDistributionData
and the absence of validation inaddNodeDelegatorContractToQueue
. https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L82-L88 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L162-L176Tools Used
Forge
Recommended Mitigation Steps
add a check in
addNodeDelegatorContractToQueue
and make sure that each element is linked to the lrtConfigNodeDelegator
fromnodeDelegatorQueue
:Assessed type
DoS