Closed c4-submissions closed 11 months ago
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTConfig.sol#L144-L147
manipulating rsETH price
admin can change rsETH token address, while total supply of rsETH is used to calculate its price changing rsETH address changes its price.
Manual Review
prevent changing rsETH address after it's been configured
Other
raymondfam marked the issue as insufficient quality report
raymondfam marked the issue as duplicate of #184
fatherGoose1 marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTConfig.sol#L144-L147
Vulnerability details
Impact
manipulating rsETH price
Proof of Concept
admin can change rsETH token address, while total supply of rsETH is used to calculate its price changing rsETH address changes its price.
Tools Used
Manual Review
Recommended Mitigation Steps
prevent changing rsETH address after it's been configured
Assessed type
Other