The update on rsETH and LRTConfig can manipulate the whole system.
Proof of Concept
In LRTConfig, the rsETH address can be updated arbitrary, however, the system is using rsETH's supply to record the deposit and calculate the price, if rsETH is replaced by newer address, the value of the rsETH issued to user will be meaningless. Also, there could be a price broken while changing the rsETH, if the initial state of new rsETH is set properly. For example, if the initial supply for new rsETH is 0, when getting the getRSETHPrice, the price will be 1 ETHER, and the attacker mint large number of new rsETH with price 1 ether; after this, since there are already a lot of funds linked to the protocol and rsETH's supply is non-zero, the return value for getRSETHPrice will be larger than 1 ETHER and the attacker can get the benefit.
Similarly, all contracts inherited from the LRTConfigRoleChecker preserve the ability to update the LRTConfig, as a result, important values, such as, supported asset, rsETH can be updated, which will result in deposit loss and price change.
Tools Used
Manual
Recommended Mitigation Steps
Although the protocol is highly centralized, it is still recommended to remove some unnecessary privileged functions to avoid users' loss
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTConfig.sol#L144 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/utils/LRTConfigRoleChecker.sol#L47
Vulnerability details
Impact
The update on
rsETH
andLRTConfig
can manipulate the whole system.Proof of Concept
In
LRTConfig
, thersETH
address can be updated arbitrary, however, the system is usingrsETH
's supply to record the deposit and calculate the price, ifrsETH
is replaced by newer address, the value of thersETH
issued to user will be meaningless. Also, there could be a price broken while changing thersETH
, if the initial state of newrsETH
is set properly. For example, if the initial supply for newrsETH
is 0, when getting thegetRSETHPrice
, the price will be 1 ETHER, and the attacker mint large number of newrsETH
with price 1 ether; after this, since there are already a lot of funds linked to the protocol andrsETH
's supply is non-zero, the return value forgetRSETHPrice
will be larger than 1 ETHER and the attacker can get the benefit.Similarly, all contracts inherited from the
LRTConfigRoleChecker
preserve the ability to update theLRTConfig
, as a result, important values, such as, supported asset, rsETH can be updated, which will result in deposit loss and price change.Tools Used
Manual
Recommended Mitigation Steps
Although the protocol is highly centralized, it is still recommended to remove some unnecessary privileged functions to avoid users' loss
Assessed type
Other