Judge has assessed an item in Issue #776 as 2 risk. The relevant finding follows:
[Low-01] No minimum Amount(rsETH) receive parameter absent in depositAsset()
Here we can see that User deposit asset via depositAsset() which take asset address and asset depositAmount as parameter Then rsethAmountMinted calculated via _mintRsETH() - where it fetch corresponding asset price from oracle - then use formula (amount * assetPrice)/rsETHPrice to calculate rsethAmountMinted
Problem here is that if something go wrong with Oracle, then fetched price is mismatched with actual value Then User may receive less amount than he intended, may be there a huge slippage.
function depositAsset(
address asset,
uint256 depositAmount,
Judge has assessed an item in Issue #776 as 2 risk. The relevant finding follows:
[Low-01] No minimum Amount(rsETH) receive parameter absent in depositAsset() Here we can see that User deposit asset via depositAsset() which take asset address and asset depositAmount as parameter Then rsethAmountMinted calculated via _mintRsETH() - where it fetch corresponding asset price from oracle - then use formula (amount * assetPrice)/rsETHPrice to calculate rsethAmountMinted
Problem here is that if something go wrong with Oracle, then fetched price is mismatched with actual value Then User may receive less amount than he intended, may be there a huge slippage.
uint256 minAmount ) external whenNotPaused nonReentrant onlySupportedAsset(asset) { // checks if (depositAmount == 0) { revert InvalidAmount(); } if (depositAmount > getAssetCurrentLimit(asset)) { revert MaximumDepositLimitReached(); }
uint256 rsethAmountMinted = _mintRsETH(asset, depositAmount, minAmount);
} https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L151-L157 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L119-L122 Mitigation To Overcome that function should also have a another parameter like minAmountReceived which inputed by user where User clearly says how much (slippage he can bear) rsEth he wanted to mint back.
And it should be check against rsethAmountToMint in _mintRsETH() before minting
function _mintRsETH(address _asset, uint256 _amount) private returns (uint256 rsethAmountToMint) {
function _mintRsETH(address _asset, uint256 _amount, uint _minAmount) private returns (uint256 rsethAmountToMint) { (rsethAmountToMint) = getRsETHAmountToMint(_asset, _amount);
require(rsethAmountToMint >= _minAmount, "error"); address rsethToken = lrtConfig.rsETH(); // mint rseth for user IRSETH(rsethToken).mint(msg.sender, rsethAmountToMint); }