search

code-423n4 / 2023-11-kelp-findings

13 stars 11 forks source link

LRTConfig can't remove old asset's #875

Open c4-submissions opened 1 year ago

c4-submissions commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTConfig.sol#L73-L89

Vulnerability details

Impact

The inability of LRTConfig to remove old assets can result in a potential DoS on LRTOracle.

Proof of Concept

The Manager can introduce a new asset to LRTConfig using:

    function _addNewSupportedAsset(address asset, uint256 depositLimit) private {
        UtilLib.checkNonZeroAddress(asset);
        if (isSupportedAsset[asset]) {
            revert AssetAlreadySupported();
        }
        isSupportedAsset[asset] = true;
        supportedAssetList.push(asset);
        depositLimitByAsset[asset] = depositLimit;
        emit AddedNewSupportedAsset(asset, depositLimit);
    }

LRTOracle's getRSETHPrice() function iterates through all assets to retrieve prices. If one of these assets, especially an upgradeable contract, is compromised, an attacker can DoS on LRTOracle by manipulating certain view functions to consistently revert, such as in the example below:

assetLyingInDepositPool = IERC20(asset).balanceOf(address(this));

Tools Used

Manual review

Recommended Mitigation Steps

Add a function to allow the manager to remove an asset.

Assessed type

Other

c4-pre-sort commented 1 year ago

raymondfam marked the issue as insufficient quality report

c4-pre-sort commented 1 year ago

raymondfam marked the issue as duplicate of #38

c4-judge commented 11 months ago

fatherGoose1 changed the severity to QA (Quality Assurance)

c4-judge commented 11 months ago

fatherGoose1 marked the issue as grade-b