Kelp DAO | rsETH - roleengineer's results

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTOracle.sol#L70

Vulnerability details

Impact

Value of totalAssetAmt could be calculated incorrectly (less than real), which produces incorrect rsETH price (less than real), which results in incorrect amount of rsETH tokens being minted (greater than real) by calling depositAsset function on LRTDepositPool. Results in real rsETH price drop.

totalAssetAmt is calculated incorrect, when asset strategy was changed by LRTConfig admin and previous strategy still holds significant amount of asset, which cannot be withdrawn due to previous strategy paused withdrawals by EigenLayer protocol.

It could happen, as option of several strategies per asset in EigenLayer protocol is ignored by current implementation: LRTConfig stores only one strategy per asset (with ability to update) and to get staked amount by NodeDelegator getAssetBalance function is used in LRTDepositPool function getAssetDistributionData.

Proof of Concept

Prerequisites:

• NodeDelegator deposited significant amount of asset into strategy#1.
• EigenLayer paused strategy#1 withdrawals.
• EigenLayer whitelisted strategy#2 for the same asset.
• LRTConfig admin updated asset strategy (replaced strategy#1 with strategy#2).

Call flow:

• user calls LRTDepositPool depositAsset function
• depositAsset function executes internal _mintRsETH call
• _mintRsETH executes internal getRsETHAmountToMint call
• getRsETHAmountToMint makes external LRTOracle getRSETHPrice function function call
• getRSETHPrice makes external LRTDepositPool getTotalAssetDeposits function call
• getTotalAssetDeposits executes internal getAssetDistributionData call
• getAssetDistributionData makes external NodeDelegator getAssetBalance function call
• getAssetBalance receives data related only to strategy#2 and ignores significant amount of staked asset in strategy#1 and returns incorrect asset balance value
• getAssetDistributionData assigns incorrect value to assetStakedInEigenLayer variable
• getTotalAssetDeposits returns incorrect totalAssetDeposit value
• getRSETHPrice assigns incorrect totalAssetAmt value and adds significantly less amount to totalETHInPool, returns significantly less incorrect rsETHPrice
• getRsETHAmountToMint assigns and returns significantly greater incorrect rsethAmountToMint value
• _mintRsETH mints significantly more rsETH than needed

Tools Used

Test can be added on request.

Recommended Mitigation Steps

Consider in implementation several strategies per asset or store staked amounts inside a protocol and read one slot per asset instead of external calls.

Assessed type

Context