Potential Dangerous When Updating the `rsETH` and `LRTConfig`

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTConfig.sol#L144 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/utils/LRTConfigRoleChecker.sol#L47

Vulnerability details

Impact

The update on rsETH and LRTConfig can manipulate the whole system.

Proof of Concept

In LRTConfig, the rsETH address can be updated arbitrary, however, the system is using rsETH's supply to record the deposit and calculate the price, if rsETH is replaced by newer address, the value of the rsETH issued to user will be meaningless. Also, there could be a price broken while changing the rsETH, if the initial state of new rsETH is set properly. For example, if the initial supply for new rsETH is 0, when getting the getRSETHPrice, the price will be 1 ETHER, and the attacker mint large number of new rsETH with price 1 ether; after this, since there are already a lot of funds linked to the protocol and rsETH's supply is non-zero, the return value for getRSETHPrice will be larger than 1 ETHER and the attacker can get the benefit.

Similarly, all contracts inherited from the LRTConfigRoleChecker preserve the ability to update the LRTConfig, as a result, important values, such as, supported asset, rsETH can be updated, which will result in deposit loss and price change.

Tools Used

Manual

Recommended Mitigation Steps

Although the protocol is highly centralized, it is still recommended to remove some unnecessary privileged functions to avoid users' loss

Assessed type

Other

[c4-pre-sort]

raymondfam marked the issue as insufficient quality report

[c4-pre-sort]

raymondfam marked the issue as duplicate of #184

[c4-judge]

fatherGoose1 marked the issue as unsatisfactory: Invalid