Platform: Code4rena
Start Date: 10/11/2023
Pot Size: $28,000 USDC
Total HM: 5
Participants: 185
Period: 5 days
Judge: 0xDjango
Id: 305
League: ETH
Rank: 152/185
Findings: 1
Award: $2.76
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: m_Rassska
Also found by: 0x1337, 0xAadi, 0xHelium, 0xLeveler, 0xblackskull, 0xbrett8571, 0xepley, 0xffchain, 0xluckhu, 0xmystery, 0xrugpull_detector, 0xvj, ABAIKUNANBAEV, Aamir, AerialRaider, Amithuddar, Bauchibred, Bauer, CatsSecurity, Cryptor, Daniel526, Draiakoo, Eigenvectors, ElCid, GREY-HAWK-REACH, Inspecktor, Juntao, King_, LinKenji, Madalad, MaslarovK, Matin, MatricksDeCoder, McToady, Noro, PENGUN, Pechenite, Phantasmagoria, RaoulSchaffranek, SBSecurity, SandNallani, Shaheen, Soul22, Stormreckson, T1MOH, Tadev, TeamSS, TheSchnilch, Topmark, Tumelo_Crypto, Udsen, Yanchuan, ZanyBonzy, _thanos1, adeolu, adriro, alexfilippov314, almurhasan, amaechieth, anarcheuz, ayden, baice, bareli, boredpukar, bronze_pickaxe, btk, cartlex_, catellatech, chaduke, cheatc0d3, circlelooper, codynhat, crack-the-kelp, critical-or-high, debo, deepkin, desaperh, dipp, eeshenggoh, evmboi32, ge6a, gesha17, glcanvas, gumgumzum, hals, hihen, hunter_w3b, jasonxiale, joaovwfreire, ke1caM, leegh, lsaudit, marchev, merlinboii, niser93, osmanozdemir1, paritomarrr, passion, pep7siup, phoenixV110, pipidu83, poneta, ro1sharkm, rouhsamad, rvierdiiev, sakshamguruji, seerether, shealtielanz, soliditytaker, spark, squeaky_cactus, stackachu, supersizer0x, tallo, taner2344, turvy_fuzz, twcctop, ubl4nk, wisdomn_, xAriextz, zach, zhaojie, zhaojohnson, ziyou-
2.7592 USDC - $2.76
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTConfig.sol#L73 https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L79
In LRTConfig.sol, the MANAGER role can add new supported assets, but they cannot be removed once added.
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTConfig.sol#L73
If an asset is vulnerable, malicious, or added by mistake, it could result in a permanent denial of service by disabling asset deposits on LRTDepositPool.sol. Allowing supported assets to be removed prevents the denial of service from being permanent.
This is medium severity due to having an external requirement.
If one of the balanceOf external calls in LRTDepositPool.getAssetDistributionData(address) fails, depositing assets will be disabled.
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L79
This can be done by an ERC20 contract that simply reverts in the balanceOf(address) function.
Manual review
A function in LRTConfig should allow either the MANAGER or DEFAULT_ADMIN_ROLE roles to remove a supported asset if it is found to have an issue.
DoS
#0 - c4-pre-sort
2023-11-16T02:59:17Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2023-11-16T02:59:27Z
raymondfam marked the issue as duplicate of #38
#2 - c4-judge
2023-12-01T17:45:49Z
fatherGoose1 changed the severity to QA (Quality Assurance)
#3 - c4-judge
2023-12-01T17:46:53Z
fatherGoose1 marked the issue as grade-b