Platform: Code4rena
Start Date: 10/11/2023
Pot Size: $28,000 USDC
Total HM: 5
Participants: 185
Period: 5 days
Judge: 0xDjango
Id: 305
League: ETH
Rank: 123/185
Findings: 1
Award: $2.76
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: m_Rassska
Also found by: 0x1337, 0xAadi, 0xHelium, 0xLeveler, 0xblackskull, 0xbrett8571, 0xepley, 0xffchain, 0xluckhu, 0xmystery, 0xrugpull_detector, 0xvj, ABAIKUNANBAEV, Aamir, AerialRaider, Amithuddar, Bauchibred, Bauer, CatsSecurity, Cryptor, Daniel526, Draiakoo, Eigenvectors, ElCid, GREY-HAWK-REACH, Inspecktor, Juntao, King_, LinKenji, Madalad, MaslarovK, Matin, MatricksDeCoder, McToady, Noro, PENGUN, Pechenite, Phantasmagoria, RaoulSchaffranek, SBSecurity, SandNallani, Shaheen, Soul22, Stormreckson, T1MOH, Tadev, TeamSS, TheSchnilch, Topmark, Tumelo_Crypto, Udsen, Yanchuan, ZanyBonzy, _thanos1, adeolu, adriro, alexfilippov314, almurhasan, amaechieth, anarcheuz, ayden, baice, bareli, boredpukar, bronze_pickaxe, btk, cartlex_, catellatech, chaduke, cheatc0d3, circlelooper, codynhat, crack-the-kelp, critical-or-high, debo, deepkin, desaperh, dipp, eeshenggoh, evmboi32, ge6a, gesha17, glcanvas, gumgumzum, hals, hihen, hunter_w3b, jasonxiale, joaovwfreire, ke1caM, leegh, lsaudit, marchev, merlinboii, niser93, osmanozdemir1, paritomarrr, passion, pep7siup, phoenixV110, pipidu83, poneta, ro1sharkm, rouhsamad, rvierdiiev, sakshamguruji, seerether, shealtielanz, soliditytaker, spark, squeaky_cactus, stackachu, supersizer0x, tallo, taner2344, turvy_fuzz, twcctop, ubl4nk, wisdomn_, xAriextz, zach, zhaojie, zhaojohnson, ziyou-
2.7592 USDC - $2.76
The NodeDelegator.transferBackToLRTDepositPool function doesn't check that LRT_DEPOSIT_POOL was set:
LRTConfig.sol
function getContract(bytes32 contractKey) external view override returns (address) { return contractMap[contractKey]; }
NodeDelegator.sol
function transferBackToLRTDepositPool( address asset, uint256 amount ) external whenNotPaused nonReentrant onlySupportedAsset(asset) onlyLRTManager { address lrtDepositPool = lrtConfig.getContract(LRTConstants.LRT_DEPOSIT_POOL); if (!IERC20(asset).transfer(lrtDepositPool, amount)) { revert TokenTransferFailed(); } }
In the case when this address was not set the funds will be transfered to the zero address and will be lost for good.
The probability of this situation is low since in most cases the LRTOracle.getRSETHPrice also uses this address and therefore the LRTDepostPool.depositAsset transaction will be reverted. But in the case when rsEthSupply == 0 the LRTOracle.getRSETHPrice doesn't use LRT_DEPOSIT_POOL. In this case, the flow LRTDepostPool.depositAsset -> LRTDepostPool.transferAssetToNodeDelegator -> NodeDelegator.transferBackToLRTDepositPool can be executed without reverts and funds can be lost.
Funds can be lost in the NodeDelegator.transferBackToLRTDepositPool if the LRT_DEPOSIT_POOL contract address was not set in the LRTConfig. The probability of such a situation is low but it is better to prevent it completely.
-
Manual Review
Consider adding a check that lrtDepositPool is not equal to the zero address in the NodeDelegator.transferBackToLRTDepositPool.
Invalid Validation
#0 - c4-pre-sort
2023-11-16T04:58:00Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2023-11-16T04:58:10Z
raymondfam marked the issue as duplicate of #69
#2 - c4-judge
2023-11-29T20:58:12Z
fatherGoose1 changed the severity to QA (Quality Assurance)
#3 - c4-judge
2023-11-29T21:02:11Z
fatherGoose1 marked the issue as grade-b