Platform: Code4rena
Start Date: 10/11/2023
Pot Size: $28,000 USDC
Total HM: 5
Participants: 185
Period: 5 days
Judge: 0xDjango
Id: 305
League: ETH
Rank: 180/185
Findings: 1
Award: $2.76
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: m_Rassska
Also found by: 0x1337, 0xAadi, 0xHelium, 0xLeveler, 0xblackskull, 0xbrett8571, 0xepley, 0xffchain, 0xluckhu, 0xmystery, 0xrugpull_detector, 0xvj, ABAIKUNANBAEV, Aamir, AerialRaider, Amithuddar, Bauchibred, Bauer, CatsSecurity, Cryptor, Daniel526, Draiakoo, Eigenvectors, ElCid, GREY-HAWK-REACH, Inspecktor, Juntao, King_, LinKenji, Madalad, MaslarovK, Matin, MatricksDeCoder, McToady, Noro, PENGUN, Pechenite, Phantasmagoria, RaoulSchaffranek, SBSecurity, SandNallani, Shaheen, Soul22, Stormreckson, T1MOH, Tadev, TeamSS, TheSchnilch, Topmark, Tumelo_Crypto, Udsen, Yanchuan, ZanyBonzy, _thanos1, adeolu, adriro, alexfilippov314, almurhasan, amaechieth, anarcheuz, ayden, baice, bareli, boredpukar, bronze_pickaxe, btk, cartlex_, catellatech, chaduke, cheatc0d3, circlelooper, codynhat, crack-the-kelp, critical-or-high, debo, deepkin, desaperh, dipp, eeshenggoh, evmboi32, ge6a, gesha17, glcanvas, gumgumzum, hals, hihen, hunter_w3b, jasonxiale, joaovwfreire, ke1caM, leegh, lsaudit, marchev, merlinboii, niser93, osmanozdemir1, paritomarrr, passion, pep7siup, phoenixV110, pipidu83, poneta, ro1sharkm, rouhsamad, rvierdiiev, sakshamguruji, seerether, shealtielanz, soliditytaker, spark, squeaky_cactus, stackachu, supersizer0x, tallo, taner2344, turvy_fuzz, twcctop, ubl4nk, wisdomn_, xAriextz, zach, zhaojie, zhaojohnson, ziyou-
2.7592 USDC - $2.76
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L162
In situations whereby Node Delegator Contract is compromised, since there is no way to remove this node Delegator contract from storage it would in extension affect the security of the Protocol. In addition to this in a situation admins due to human error adds same node Delegator contract twice it would cause Inflation in calculation from L83 & excess transfer at L194 of the same contract since node Delegator cannot be removed.
function addNodeDelegatorContractToQueue(address[] calldata nodeDelegatorContracts) external onlyLRTAdmin { uint256 length = nodeDelegatorContracts.length; if (nodeDelegatorQueue.length + length > maxNodeDelegatorCount) { revert MaximumNodeDelegatorCountReached(); } for (uint256 i; i < length;) { UtilLib.checkNonZeroAddress(nodeDelegatorContracts[i]); nodeDelegatorQueue.push(nodeDelegatorContracts[i]); emit NodeDelegatorAddedinQueue(nodeDelegatorContracts[i]); unchecked { ++i; } } }
The code above shows how Node Delegator is added to the contract Node Delegator Queue, there is no point in the contract or other related inherited contract that shows where Node Delegator can be removed if Node Delegator address is compromised.
No Poc Code since it is a design problem
Manual Review
An Additional function should be added to the contract to make removal of node delegator is possible after necessary conditions and interaction precautions have been met, it should be callable by only Admin i.e onlyLRTAdmin. A sample removal function could look like this :
function removeNodeDelegatorContractToQueue(uint index) external onlyLRTAdmin { if (index >= nodeDelegatorQueue.length) return; for (uint i = index; i < nodeDelegatorQueue.length-1; i++){ nodeDelegatorQueue[i] = nodeDelegatorQueue[i+1]; } nodeDelegatorQueue.pop(); emit NodeDelegatorRemovedinQueue(nodeDelegatorQueue[i]); }
Note: The Removal function should be more sophisticated that this to ensure node Delegator address is safely removed without escalation to other problems
Access Control
#0 - c4-pre-sort
2023-11-16T22:04:10Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2023-11-16T22:04:26Z
raymondfam marked the issue as duplicate of #38
#2 - c4-judge
2023-12-01T17:45:50Z
fatherGoose1 changed the severity to QA (Quality Assurance)
#3 - c4-judge
2023-12-01T17:47:19Z
fatherGoose1 marked the issue as grade-b