Kelp DAO | rsETH - Eigenvectors's results

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L91-L157

Vulnerability details

Summary

When a user deposits a small amount of tokens to mint rsETH and the current price of rsETH is bigger than the current price of the given asset, it is possible that the user will pay, but does not receive any rsETH tokens in return.

Vulnerability Details

To mint rsETH a user must call the depositAsset function, which calls the _mintRsETH, which calls the getRsETHAmountToMint function:

function depositAsset(
    address asset,
    uint256 depositAmount
)
    external
    whenNotPaused
    nonReentrant
    onlySupportedAsset(asset)
{
    // checks
    if (depositAmount == 0) {
        revert InvalidAmount();
    }
    if (depositAmount > getAssetCurrentLimit(asset)) {
        revert MaximumDepositLimitReached();
    }

    if (!IERC20(asset).transferFrom(msg.sender, address(this), depositAmount)) {
        revert TokenTransferFailed();
    }

    // interactions
    uint256 rsethAmountMinted = _mintRsETH(asset, depositAmount);

    emit AssetDeposit(asset, depositAmount, rsethAmountMinted);
}

function _mintRsETH(address _asset, uint256 _amount) private returns (uint256 rsethAmountToMint) {
    (rsethAmountToMint) = getRsETHAmountToMint(_asset, _amount);

    address rsethToken = lrtConfig.rsETH();
    // mint rseth for user
    IRSETH(rsethToken).mint(msg.sender, rsethAmountToMint);
}

function getRsETHAmountToMint(
    address asset,
    uint256 amount
)
    public
    view
    override
    returns (uint256 rsethAmountToMint)
{
    // setup oracle contract
    address lrtOracleAddress = lrtConfig.getContract(LRTConstants.LRT_ORACLE);
    ILRTOracle lrtOracle = ILRTOracle(lrtOracleAddress);

    // calculate rseth amount to mint based on asset amount and asset exchange rate
    rsethAmountToMint = (amount * lrtOracle.getAssetPrice(asset)) / lrtOracle.getRSETHPrice();
}

As we can see the getRsETHAmountToMint function calculates the amount of rsETH the user receives for the given amount of the specified asset and the formula for the rsethAmountToMint looks like this:

rsethAmountToMint = (amount * assetPrice) / rsETHPrice

Therefore, if the amount times the current asset price is smaller than the current rsETH price a zero amount will be returned and the user does not receive any rsETH while the system still receives the assets, as there is no check implemented in the system for this case:

amount = 1
assetPrice = 1e18
rsETHPrice = 1.1e18

rsethAmountToMint = (amount * assetPrice) / rsETHPrice
rsethAmountToMint = (1 * 1e18) / 1.1e18 = uint256(0.909) = 0

When the provided assets price equals around one ether, while the rsETH price already increased a lot, the problem becomes bigger.

Impact

User loses all deposited assets.

Tools Used

Manual Review

Recommendations

Revert if the calculated rsethAmountToMint equals zero.

Assessed type

Math