Platform: Code4rena
Start Date: 10/11/2023
Pot Size: $28,000 USDC
Total HM: 5
Participants: 185
Period: 5 days
Judge: 0xDjango
Id: 305
League: ETH
Rank: 68/185
Findings: 2
Award: $38.79
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: T1MOH
Also found by: 0x1337, 0xNaN, 0xepley, 0xluckhu, 0xmystery, 7siech, Aamir, AlexCzm, Aymen0909, DanielArmstrong, GREY-HAWK-REACH, HChang26, Jiamin, Juntao, QiuhaoLi, Ruhum, SBSecurity, Varun_05, Weed0607, adam-idarrha, adriro, ast3ros, ayden, circlelooper, crack-the-kelp, crunch, cryptothemex, deepplus, mahdirostami, max10afternoon, osmanozdemir1, rouhsamad, rvierdiiev, trachev, xAriextz, zhaojie
36.0335 USDC - $36.03
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L136-L141 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L79
In LRTDepositPool::depositAsset(), it calculates the rsETH amount to be minted to the depositor per the input asset amount (a), the asset:ETH price (pa) and rsETH:ETH price (pb): (a*pa)/pb.
Per design, the rsETH:ETH price shall be calculated per the current assets balances and the current rsETH supply in the protocol. However, current implementation takes the new deposit amount also into the calculation of the rsETH:ETH price, because the new deposit is transferred into the contract before the calculation of the rsETH:ETH price. As a result, the rsETH:ETH price is a somehow higher than expected and the depositor will get less rsETH minted.
In LRTDepositPool::depositAsset(), _mintRsETH() first and pull user deposit at last (i.e., IERC20(asset).transferFrom()).
Timing
#0 - c4-pre-sort
2023-11-16T00:16:04Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2023-11-16T00:16:19Z
raymondfam marked the issue as duplicate of #62
#2 - c4-judge
2023-11-29T21:19:59Z
fatherGoose1 marked the issue as satisfactory
#3 - c4-judge
2023-12-01T19:00:05Z
fatherGoose1 changed the severity to 2 (Med Risk)
#4 - c4-judge
2023-12-04T15:31:41Z
fatherGoose1 changed the severity to 3 (High Risk)
🌟 Selected for report: m_Rassska
Also found by: 0x1337, 0xAadi, 0xHelium, 0xLeveler, 0xblackskull, 0xbrett8571, 0xepley, 0xffchain, 0xluckhu, 0xmystery, 0xrugpull_detector, 0xvj, ABAIKUNANBAEV, Aamir, AerialRaider, Amithuddar, Bauchibred, Bauer, CatsSecurity, Cryptor, Daniel526, Draiakoo, Eigenvectors, ElCid, GREY-HAWK-REACH, Inspecktor, Juntao, King_, LinKenji, Madalad, MaslarovK, Matin, MatricksDeCoder, McToady, Noro, PENGUN, Pechenite, Phantasmagoria, RaoulSchaffranek, SBSecurity, SandNallani, Shaheen, Soul22, Stormreckson, T1MOH, Tadev, TeamSS, TheSchnilch, Topmark, Tumelo_Crypto, Udsen, Yanchuan, ZanyBonzy, _thanos1, adeolu, adriro, alexfilippov314, almurhasan, amaechieth, anarcheuz, ayden, baice, bareli, boredpukar, bronze_pickaxe, btk, cartlex_, catellatech, chaduke, cheatc0d3, circlelooper, codynhat, crack-the-kelp, critical-or-high, debo, deepkin, desaperh, dipp, eeshenggoh, evmboi32, ge6a, gesha17, glcanvas, gumgumzum, hals, hihen, hunter_w3b, jasonxiale, joaovwfreire, ke1caM, leegh, lsaudit, marchev, merlinboii, niser93, osmanozdemir1, paritomarrr, passion, pep7siup, phoenixV110, pipidu83, poneta, ro1sharkm, rouhsamad, rvierdiiev, sakshamguruji, seerether, shealtielanz, soliditytaker, spark, squeaky_cactus, stackachu, supersizer0x, tallo, taner2344, turvy_fuzz, twcctop, ubl4nk, wisdomn_, xAriextz, zach, zhaojie, zhaojohnson, ziyou-
2.7592 USDC - $2.76
In LRTDepositPool::depositAsset(), if the new rsETH amount is 0, the deposit asset gets lost.
In LRTDepositPool::depositAsset(), the new rsETH amount to be minted to the depositor is calculated per the deposit amount and the rsETH price. In case the new deposit amount is very small and the rsETH is expensive, the new calculated rsETH amount may be 0. As a result, user's deposit is pulled in but no rsETH is minted to the user.
Add a check at the end of the LRTDepositPool::depositAsset(), and revert when the new rsETH amount is 0.
Math
#0 - c4-pre-sort
2023-11-16T00:19:37Z
raymondfam marked the issue as insufficient quality report
#1 - raymondfam
2023-11-16T00:21:45Z
Insufficient proof as illustrated in #42.
#2 - c4-pre-sort
2023-11-16T00:22:33Z
raymondfam marked the issue as primary issue
#3 - fatherGoose1
2023-12-01T16:58:35Z
Does not describe a donation attack. Simply explains that a user can be minted 0 shares as a result of depositing a small amount. QA
#4 - c4-judge
2023-12-01T16:58:45Z
fatherGoose1 changed the severity to QA (Quality Assurance)
#5 - c4-judge
2023-12-01T16:58:50Z
fatherGoose1 marked the issue as grade-b