search

code-423n4 / 2023-11-kelp-findings

13 stars 11 forks source link

Missing check on deposited amount #854

Closed c4-submissions closed 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L119

Vulnerability details

Impact

depositAsset() transfers tokens from the sender without checking that the amount was indeed received. If the protocol were to accept other tokens than stETH, rETH, and cbETH, there is a possibility that some of the newly accepted tokens have custom ERC20 logic that implement fees. Since the amount of RSETH minted depends on how much was exactly deposited (uint256 rsethAmountMinted = _mintRsETH(asset, depositAmount);), this would pause a big accounting problem. In the worst case, protocol could lose funds as it mints more than what was deposited, and it will also fire a wrong event AssetDeposit since the depositAmount is not correct, throwing off off-chain logging services.

This is not a high-severity, as I am assuming the accepted ERC20-tokens are those present in the deployment script. This will become a problem if the protocol plan to expands to other ERC20-tokens.

Proof of Concept

    function depositAsset(
        address asset,
        uint256 depositAmount
    )
        external
        whenNotPaused
        nonReentrant
        onlySupportedAsset(asset)
    {
        // checks
        if (depositAmount == 0) {
            revert InvalidAmount();
        }
        if (depositAmount > getAssetCurrentLimit(asset)) {
            revert MaximumDepositLimitReached();
        }

        if (!IERC20(asset).transferFrom(msg.sender, address(this), depositAmount)) {
            revert TokenTransferFailed();
        }

        // interactions
        uint256 rsethAmountMinted = _mintRsETH(asset, depositAmount);

        emit AssetDeposit(asset, depositAmount, rsethAmountMinted);
    }

Tools Used

Manual review.

Recommended Mitigation Steps

The amounts received should be validated.

Assessed type

Invalid Validation

c4-pre-sort commented 1 year ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 1 year ago

raymondfam marked the issue as duplicate of #166

c4-judge commented 11 months ago

fatherGoose1 marked the issue as unsatisfactory: Invalid