Platform: Code4rena
Start Date: 10/11/2023
Pot Size: $28,000 USDC
Total HM: 5
Participants: 185
Period: 5 days
Judge: 0xDjango
Id: 305
League: ETH
Rank: 137/185
Findings: 1
Award: $2.76
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: m_Rassska
Also found by: 0x1337, 0xAadi, 0xHelium, 0xLeveler, 0xblackskull, 0xbrett8571, 0xepley, 0xffchain, 0xluckhu, 0xmystery, 0xrugpull_detector, 0xvj, ABAIKUNANBAEV, Aamir, AerialRaider, Amithuddar, Bauchibred, Bauer, CatsSecurity, Cryptor, Daniel526, Draiakoo, Eigenvectors, ElCid, GREY-HAWK-REACH, Inspecktor, Juntao, King_, LinKenji, Madalad, MaslarovK, Matin, MatricksDeCoder, McToady, Noro, PENGUN, Pechenite, Phantasmagoria, RaoulSchaffranek, SBSecurity, SandNallani, Shaheen, Soul22, Stormreckson, T1MOH, Tadev, TeamSS, TheSchnilch, Topmark, Tumelo_Crypto, Udsen, Yanchuan, ZanyBonzy, _thanos1, adeolu, adriro, alexfilippov314, almurhasan, amaechieth, anarcheuz, ayden, baice, bareli, boredpukar, bronze_pickaxe, btk, cartlex_, catellatech, chaduke, cheatc0d3, circlelooper, codynhat, crack-the-kelp, critical-or-high, debo, deepkin, desaperh, dipp, eeshenggoh, evmboi32, ge6a, gesha17, glcanvas, gumgumzum, hals, hihen, hunter_w3b, jasonxiale, joaovwfreire, ke1caM, leegh, lsaudit, marchev, merlinboii, niser93, osmanozdemir1, paritomarrr, passion, pep7siup, phoenixV110, pipidu83, poneta, ro1sharkm, rouhsamad, rvierdiiev, sakshamguruji, seerether, shealtielanz, soliditytaker, spark, squeaky_cactus, stackachu, supersizer0x, tallo, taner2344, turvy_fuzz, twcctop, ubl4nk, wisdomn_, xAriextz, zach, zhaojie, zhaojohnson, ziyou-
2.7592 USDC - $2.76
A Malicious actor could manipulate on-chain values, such as the total supply of rsETH, to influence the calculated rsETHPrice. Users relying on the accurate pricing mechanism may experience financial loss or gain due to manipulated on-chain values
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTOracle.sol#L52
This vulnerability arises from the use of on-chain values, specifically the total supply of rsETH (rsEthSupply), to determine the price of rsETH. A Malicious actor can potentially manipulate on-chain values to their advantage, potentially affecting the overall token economy and user trust.
return totalETHInPool / rsEthSupply;
Example Scenario:
The mint function in LRTDepositPool relies on the accurate rsETHPrice obtained from getRSETHPrice to calculate the amount of rsETH to mint based on the value of the provided asset.
Due to the manipulated rsETH price, users may receive more or fewer rsETH tokens than expected when providing assets for minting.
rsethAmountToMint = (amount * lrtOracle.getAssetPrice(asset)) / lrtOracle.getRSETHPrice();
Manual Analysis
Explore alternative methods for calculating the rsETH price that are less susceptible to manipulation, such as using a decentralized price oracle or a moving average of recent prices.
Oracle
#0 - c4-pre-sort
2023-11-16T07:40:19Z
raymondfam marked the issue as insufficient quality report
#1 - c4-pre-sort
2023-11-16T07:40:38Z
raymondfam marked the issue as duplicate of #168
#2 - c4-judge
2023-12-01T16:58:42Z
fatherGoose1 changed the severity to QA (Quality Assurance)
#3 - c4-judge
2023-12-01T18:42:48Z
fatherGoose1 marked the issue as grade-b