Back to pipidu83's contests

Kelp DAO | rsETH - pipidu83's results

A collective DAO designed to unlock liquidity, DeFi and higher rewards for restaked assets through liquid restaking.

General Information

Platform: Code4rena

Start Date: 10/11/2023

Pot Size: $28,000 USDC

Total HM: 5

Participants: 185

Period: 5 days

Judge: 0xDjango

Id: 305

League: ETH

Kelp DAO

Findings Distribution

Researcher Performance

Rank: 143/185

Findings: 1

Award: $2.76

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryKelp DAO

Findings Information

🌟 Selected for report: m_Rassska

Also found by: 0x1337, 0xAadi, 0xHelium, 0xLeveler, 0xblackskull, 0xbrett8571, 0xepley, 0xffchain, 0xluckhu, 0xmystery, 0xrugpull_detector, 0xvj, ABAIKUNANBAEV, Aamir, AerialRaider, Amithuddar, Bauchibred, Bauer, CatsSecurity, Cryptor, Daniel526, Draiakoo, Eigenvectors, ElCid, GREY-HAWK-REACH, Inspecktor, Juntao, King_, LinKenji, Madalad, MaslarovK, Matin, MatricksDeCoder, McToady, Noro, PENGUN, Pechenite, Phantasmagoria, RaoulSchaffranek, SBSecurity, SandNallani, Shaheen, Soul22, Stormreckson, T1MOH, Tadev, TeamSS, TheSchnilch, Topmark, Tumelo_Crypto, Udsen, Yanchuan, ZanyBonzy, _thanos1, adeolu, adriro, alexfilippov314, almurhasan, amaechieth, anarcheuz, ayden, baice, bareli, boredpukar, bronze_pickaxe, btk, cartlex_, catellatech, chaduke, cheatc0d3, circlelooper, codynhat, crack-the-kelp, critical-or-high, debo, deepkin, desaperh, dipp, eeshenggoh, evmboi32, ge6a, gesha17, glcanvas, gumgumzum, hals, hihen, hunter_w3b, jasonxiale, joaovwfreire, ke1caM, leegh, lsaudit, marchev, merlinboii, niser93, osmanozdemir1, paritomarrr, passion, pep7siup, phoenixV110, pipidu83, poneta, ro1sharkm, rouhsamad, rvierdiiev, sakshamguruji, seerether, shealtielanz, soliditytaker, spark, squeaky_cactus, stackachu, supersizer0x, tallo, taner2344, turvy_fuzz, twcctop, ubl4nk, wisdomn_, xAriextz, zach, zhaojie, zhaojohnson, ziyou-

Awards

2.7592 USDC - $2.76

Labels

bug
downgraded by judge
grade-b
insufficient quality report
primary issue
QA (Quality Assurance)
Q-116

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L56-L58

Vulnerability details

Impact

The function getAssetCurrentLimit can revert unexpectedly if getTotalAssetDeposits(asset) is greater than lrtConfig.depositLimitByAsset(asset), which can happen after updating deposit limits.

This vulnerability should be marked as MEDIUM as this is a public view function and could then be used by other contracts, which would rightly expect a return value equal to 0 in case more assets were deposited than the current limit, and potentially malfunction on this revert.

Another side effect of lesser severity is that the depositAsset will revert with no named reason when getAssetCurrentLimit reverts. It would be cleaner to catch this revert with a custom error.

Proof of Concept

Let's take a closer look at the getAssetCurrentLimit function below

function getAssetCurrentLimit(address asset) public view override returns (uint256) {
        return lrtConfig.depositLimitByAsset(asset) - getTotalAssetDeposits(asset);
 }

First asset1 is initially added by LRTConstants.MANAGER (thanks to the addNewSupportedAsset function in the LRTConfig contract) with a depositLimitByAsset[asset1] set to 1e18.

Let's assume a user then deposits an amount 5e17 of asset1 in the depositAsset function.

Let's now assume LRTConstants.MANAGER then updates the depositLimitByAsset[asset1] with the updateAssetDepositLimit function in the LRTConfig contract to 0.

In this situation, the getTotalAssetDeposits function the returns 5e17 for asset1, and [depositLimitByAsset] is then equal to 0, leading the getAssetCurrentLimit function to revert when called with asset1 as an input.

Tools Used

Manual Review / Visual Studio

This vulnerability can be fixed with a simple check in the getAssetCurrentLimit function as per below:

function getAssetCurrentLimit(address asset) public view override returns (uint256) {
    if (lrtConfig.depositLimitByAsset(asset) > getTotalAssetDeposits(asset)) {
        return lrtConfig.depositLimitByAsset(asset) - getTotalAssetDeposits(asset);
    }
    else {
        return 0;
     }
}

in this case the function will not revert and will simply return 0 when getTotalAssetDeposits(asset) is greater than lrtConfig.depositLimitByAsset(asset), preventing the potentially negative effects described above.

Assessed type

Under/Overflow

#0 - c4-pre-sort

2023-11-15T23:12:48Z

raymondfam marked the issue as insufficient quality report

#1 - c4-pre-sort

2023-11-15T23:13:01Z

raymondfam marked the issue as primary issue

#2 - raymondfam

2023-11-15T23:14:35Z

It's still going to revert here anyway:

https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L132-L134

        if (depositAmount > getAssetCurrentLimit(asset)) {
            revert MaximumDepositLimitReached();
        }

#3 - fatherGoose1

2023-11-29T19:14:25Z

Downgrading to QA. Returning 0 would be a better solution but does not warrant medium.

#4 - c4-judge

2023-11-29T19:14:34Z

fatherGoose1 changed the severity to QA (Quality Assurance)

#5 - c4-judge

2023-11-29T19:14:39Z

fatherGoose1 marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter