Kelp DAO | rsETH - paritomarrr's results

A collective DAO designed to unlock liquidity, DeFi and higher rewards for restaked assets through liquid restaking.

General Information

Platform: Code4rena

Start Date: 10/11/2023

Pot Size: $28,000 USDC

Total HM: 5

Participants: 185

Period: 5 days

Judge: 0xDjango

Id: 305

League: ETH

Kelp DAO

Findings Distribution

Researcher Performance

Rank: 131/185

Findings: 1

Award: $2.76

QA:

grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Kelp DAO

Findings Information

🌟 Selected for report: m_Rassska

Also found by: 0x1337, 0xAadi, 0xHelium, 0xLeveler, 0xblackskull, 0xbrett8571, 0xepley, 0xffchain, 0xluckhu, 0xmystery, 0xrugpull_detector, 0xvj, ABAIKUNANBAEV, Aamir, AerialRaider, Amithuddar, Bauchibred, Bauer, CatsSecurity, Cryptor, Daniel526, Draiakoo, Eigenvectors, ElCid, GREY-HAWK-REACH, Inspecktor, Juntao, King_, LinKenji, Madalad, MaslarovK, Matin, MatricksDeCoder, McToady, Noro, PENGUN, Pechenite, Phantasmagoria, RaoulSchaffranek, SBSecurity, SandNallani, Shaheen, Soul22, Stormreckson, T1MOH, Tadev, TeamSS, TheSchnilch, Topmark, Tumelo_Crypto, Udsen, Yanchuan, ZanyBonzy, _thanos1, adeolu, adriro, alexfilippov314, almurhasan, amaechieth, anarcheuz, ayden, baice, bareli, boredpukar, bronze_pickaxe, btk, cartlex_, catellatech, chaduke, cheatc0d3, circlelooper, codynhat, crack-the-kelp, critical-or-high, debo, deepkin, desaperh, dipp, eeshenggoh, evmboi32, ge6a, gesha17, glcanvas, gumgumzum, hals, hihen, hunter_w3b, jasonxiale, joaovwfreire, ke1caM, leegh, lsaudit, marchev, merlinboii, niser93, osmanozdemir1, paritomarrr, passion, pep7siup, phoenixV110, pipidu83, poneta, ro1sharkm, rouhsamad, rvierdiiev, sakshamguruji, seerether, shealtielanz, soliditytaker, spark, squeaky_cactus, stackachu, supersizer0x, tallo, taner2344, turvy_fuzz, twcctop, ubl4nk, wisdomn_, xAriextz, zach, zhaojie, zhaojohnson, ziyou-

Awards

2.7592 USDC - $2.76

Labels

bug

downgraded by judge

grade-b

insufficient quality report

QA (Quality Assurance)

duplicate-69

Q-91

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTOracle.sol#L46 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTOracle.sol#L96

Vulnerability details

Description

In the LRTOracle smart contract, there is a vulnerability related to using unvalidated asset addresses in the price Oracle functions. Specifically, the getAssetPrice and updatePriceOracleFor functions do not perform adequate validation checks on the asset parameter, which can lead to potential issues and unexpected behaviour.

Impact

This vulnerability could lead to unexpected behaviour, transaction failures, and potential security risks due to using unvalidated asset addresses in price oracle operations, potentially affecting data integrity and user experience.

Proof of Concept

This vulnerability can result in undesirable behaviour or unexpected reverts if invalid or null asset addresses are used as inputs to these functions. The code did not originally perform checks to verify the validity of the asset parameter in the getAssetPrice and updatePriceOracleFor functions. This could potentially allow the use of invalid or null asset addresses.

function getAssetPrice(address asset) public view onlySupportedAsset(asset) returns (uint256) {
return IPriceFetcher(assetPriceOracle[asset]).getAssetPrice(asset);
}

function updatePriceOracleFor(address asset, address priceOracle) external onlyLRTManager 
onlySupportedAsset(asset) {
UtilLib.checkNonZeroAddress(priceOracle);
assetPriceOracle[asset] = priceOracle;
emit AssetPriceOracleUpdate(asset, priceOracle);
}

Tools Used

Manual Review

Recommended Mitigation Steps

function getAssetPrice(address asset) public view onlySupportedAsset(asset) returns (uint256) {
require(asset != address(0), "Invalid asset address"); // Check for valid asset address
return IPriceFetcher(assetPriceOracle[asset]).getAssetPrice(asset);
}

function updatePriceOracleFor(address asset, address priceOracle) external onlyLRTManager 
onlySupportedAsset(asset) {
require(asset != address(0), "Invalid asset address"); // Check for valid asset address
UtilLib.checkNonZeroAddress(priceOracle);
assetPriceOracle[asset] = priceOracle;
emit AssetPriceOracleUpdate(asset, priceOracle);
}

Assessed type

Oracle

#0 - c4-pre-sort
2023-11-16T03:18:54Z

raymondfam marked the issue as insufficient quality report

#1 - c4-pre-sort
2023-11-16T03:19:05Z

raymondfam marked the issue as duplicate of #69

#2 - c4-judge
2023-11-29T20:58:12Z

fatherGoose1 changed the severity to QA (Quality Assurance)

#3 - c4-judge
2023-11-29T21:01:18Z

fatherGoose1 marked the issue as grade-b

Kelp DAO | rsETH - paritomarrr's results

A collective DAO designed to unlock liquidity, DeFi and higher rewards for restaked assets through liquid restaking.

General Information

Findings Distribution

Researcher Performance

External Links

[Q-91] QA Report - $2.76

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Description

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2023-11-16T03:18:54Z

#1 - c4-pre-sort2023-11-16T03:19:05Z

#2 - c4-judge2023-11-29T20:58:12Z

#3 - c4-judge2023-11-29T21:01:18Z

#0 - c4-pre-sort
2023-11-16T03:18:54Z

#1 - c4-pre-sort
2023-11-16T03:19:05Z

#2 - c4-judge
2023-11-29T20:58:12Z

#3 - c4-judge
2023-11-29T21:01:18Z