Back to Banditx0x's contests

Kelp DAO | rsETH - Banditx0x's results

A collective DAO designed to unlock liquidity, DeFi and higher rewards for restaked assets through liquid restaking.

General Information

Platform: Code4rena

Start Date: 10/11/2023

Pot Size: $28,000 USDC

Total HM: 5

Participants: 185

Period: 5 days

Judge: 0xDjango

Id: 305

League: ETH

Kelp DAO

Findings Distribution

Researcher Performance

Rank: 116/185

Findings: 1

Award: $4.66

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryKelp DAO

Findings Information

🌟 Selected for report: Krace

Also found by: 0xDING99YA, 0xrugpull_detector, Aamir, AlexCzm, Aymen0909, Banditx0x, Bauer, CatsSecurity, GREY-HAWK-REACH, Madalad, Phantasmagoria, QiuhaoLi, Ruhum, SBSecurity, SandNallani, SpicyMeatball, T1MOH, TheSchnilch, adam-idarrha, adriro, almurhasan, ast3ros, ayden, bronze_pickaxe, btk, chaduke, ck, crack-the-kelp, critical-or-high, deth, gumgumzum, jasonxiale, joaovwfreire, ke1caM, m_Rassska, mahdirostami, mahyar, max10afternoon, osmanozdemir1, peanuts, pep7siup, peter, ptsanev, qpzm, rouhsamad, rvierdiiev, spark, twcctop, ubl4nk, wisdomn_, zach, zhaojie

Awards

4.6614 USDC - $4.66

Labels

bug
3 (High Risk)
satisfactory
sufficient quality report
edited-by-warden
duplicate-42

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/c5fdc2e62c5e1d78769f44d6e34a6fb9e40c00f0/src/LRTDepositPool.sol#L95-L110

Vulnerability details

Impact

First Deposit Can be frontrun to make amount minted round down to zero, which means the attacker gets 100% of the victims deposit contributed to the rsEth exchange rate.

Proof of Concept

When deposit is called when there are already pre-existing deposits, the conversion rate is totalETHInPool / rsEthSupply

When an intial deposit is sent to the pool, this can be front run by:

  1. Alice mints 1 rsEth
  2. Alice sends a large eth deposit directly into a contract that is accounted for in totalETHInPool such that totalETHInPool / rsEthSupply is greater than amount * lrtOracle.getAssetPrice(asset) of the victim's deposit
  3. The victims deposit goes in.
  4. totalETHInPool / rsEthSupply is greater than amount * lrtOracle.getAssetPrice(asset)
  5. Therefore the amount minted rounds down to zero.

Therefore zero shares are minted for the victim, and will result in a greater share of the pool for the attacker, since they still have 100% rsEth, and a boosted conversion rate, which still applies for future deposits. When withdrawals are implemented, this also means they can withdraw the entire victims deposit and whatever assets they sent directly to the contract.

Tools Used

Manual Review

Use internal accounting which tracks deposits and withdrawals rather than balanceOf

Assessed type

Math

#0 - c4-pre-sort

2023-11-15T22:16:13Z

raymondfam marked the issue as sufficient quality report

#1 - c4-pre-sort

2023-11-15T22:16:21Z

raymondfam marked the issue as duplicate of #42

#2 - c4-judge

2023-12-01T16:56:42Z

fatherGoose1 marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter