Platform: Code4rena
Start Date: 10/11/2023
Pot Size: $28,000 USDC
Total HM: 5
Participants: 185
Period: 5 days
Judge: 0xDjango
Id: 305
League: ETH
Rank: 159/185
Findings: 1
Award: $2.76
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: m_Rassska
Also found by: 0x1337, 0xAadi, 0xHelium, 0xLeveler, 0xblackskull, 0xbrett8571, 0xepley, 0xffchain, 0xluckhu, 0xmystery, 0xrugpull_detector, 0xvj, ABAIKUNANBAEV, Aamir, AerialRaider, Amithuddar, Bauchibred, Bauer, CatsSecurity, Cryptor, Daniel526, Draiakoo, Eigenvectors, ElCid, GREY-HAWK-REACH, Inspecktor, Juntao, King_, LinKenji, Madalad, MaslarovK, Matin, MatricksDeCoder, McToady, Noro, PENGUN, Pechenite, Phantasmagoria, RaoulSchaffranek, SBSecurity, SandNallani, Shaheen, Soul22, Stormreckson, T1MOH, Tadev, TeamSS, TheSchnilch, Topmark, Tumelo_Crypto, Udsen, Yanchuan, ZanyBonzy, _thanos1, adeolu, adriro, alexfilippov314, almurhasan, amaechieth, anarcheuz, ayden, baice, bareli, boredpukar, bronze_pickaxe, btk, cartlex_, catellatech, chaduke, cheatc0d3, circlelooper, codynhat, crack-the-kelp, critical-or-high, debo, deepkin, desaperh, dipp, eeshenggoh, evmboi32, ge6a, gesha17, glcanvas, gumgumzum, hals, hihen, hunter_w3b, jasonxiale, joaovwfreire, ke1caM, leegh, lsaudit, marchev, merlinboii, niser93, osmanozdemir1, paritomarrr, passion, pep7siup, phoenixV110, pipidu83, poneta, ro1sharkm, rouhsamad, rvierdiiev, sakshamguruji, seerether, shealtielanz, soliditytaker, spark, squeaky_cactus, stackachu, supersizer0x, tallo, taner2344, turvy_fuzz, twcctop, ubl4nk, wisdomn_, xAriextz, zach, zhaojie, zhaojohnson, ziyou-
2.7592 USDC - $2.76
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L109 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L151-L156
Significant loss of user funds, when calling depositAsset the user will lose their depositAmount and receive 0 RsETH in return due to a rounding area, for specific assets.
The protocol intends to use Chainlink Price Feeds as the price oracle however they haven't considered the fact that most price feeds denominated in USD return prices to 8 decimals.
This is problematic as RsETH is 18 decimals, therefore in getRsETHAmountToMint the returned amount to mint will likely round to 0 for these assets as you can see here.
// calculate rseth amount to mint based on asset amount and asset exchange rate rsethAmountToMint = (amount * lrtOracle.getAssetPrice(asset)) / lrtOracle.getRSETHPrice(); }
The value from getAssetPrice is computed as so:
function getAssetPrice( address asset ) public view onlySupportedAsset(asset) returns (uint256) { return IPriceFetcher(assetPriceOracle[asset]).getAssetPrice(asset); }
As you can see the value is used directly, without any consideration of the decimals.
Also, the depositAsset function doesn't allow the user to specify a minimum amount of RsETH to receive and there is no validation of the minted amount, meaning should this rounding error occur it will not be caught.
manual
Account for the decimals from the returned value of the price feed, and allow users to specify a minimum amount of RsETH to receive.
Invalid Validation
#0 - c4-pre-sort
2023-11-16T04:38:52Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2023-11-16T04:39:16Z
raymondfam marked the issue as duplicate of #97
#2 - c4-pre-sort
2023-11-17T08:02:06Z
raymondfam marked the issue as duplicate of #479
#3 - c4-judge
2023-12-01T18:01:01Z
fatherGoose1 changed the severity to 2 (Med Risk)
#4 - c4-judge
2023-12-01T18:06:36Z
fatherGoose1 marked the issue as satisfactory
#5 - c4-judge
2023-12-04T17:24:48Z
fatherGoose1 changed the severity to QA (Quality Assurance)
#6 - c4-judge
2023-12-08T18:52:48Z
fatherGoose1 marked the issue as grade-b