Platform: Code4rena
Start Date: 10/11/2023
Pot Size: $28,000 USDC
Total HM: 5
Participants: 185
Period: 5 days
Judge: 0xDjango
Id: 305
League: ETH
Rank: 154/185
Findings: 1
Award: $2.76
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: m_Rassska
Also found by: 0x1337, 0xAadi, 0xHelium, 0xLeveler, 0xblackskull, 0xbrett8571, 0xepley, 0xffchain, 0xluckhu, 0xmystery, 0xrugpull_detector, 0xvj, ABAIKUNANBAEV, Aamir, AerialRaider, Amithuddar, Bauchibred, Bauer, CatsSecurity, Cryptor, Daniel526, Draiakoo, Eigenvectors, ElCid, GREY-HAWK-REACH, Inspecktor, Juntao, King_, LinKenji, Madalad, MaslarovK, Matin, MatricksDeCoder, McToady, Noro, PENGUN, Pechenite, Phantasmagoria, RaoulSchaffranek, SBSecurity, SandNallani, Shaheen, Soul22, Stormreckson, T1MOH, Tadev, TeamSS, TheSchnilch, Topmark, Tumelo_Crypto, Udsen, Yanchuan, ZanyBonzy, _thanos1, adeolu, adriro, alexfilippov314, almurhasan, amaechieth, anarcheuz, ayden, baice, bareli, boredpukar, bronze_pickaxe, btk, cartlex_, catellatech, chaduke, cheatc0d3, circlelooper, codynhat, crack-the-kelp, critical-or-high, debo, deepkin, desaperh, dipp, eeshenggoh, evmboi32, ge6a, gesha17, glcanvas, gumgumzum, hals, hihen, hunter_w3b, jasonxiale, joaovwfreire, ke1caM, leegh, lsaudit, marchev, merlinboii, niser93, osmanozdemir1, paritomarrr, passion, pep7siup, phoenixV110, pipidu83, poneta, ro1sharkm, rouhsamad, rvierdiiev, sakshamguruji, seerether, shealtielanz, soliditytaker, spark, squeaky_cactus, stackachu, supersizer0x, tallo, taner2344, turvy_fuzz, twcctop, ubl4nk, wisdomn_, xAriextz, zach, zhaojie, zhaojohnson, ziyou-
2.7592 USDC - $2.76
Developer assumption on decimals can lead to incorrect rsethAmountToMint calculation in future and lead to lose of funds
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L109 docs.chain.link/data-feeds/price-feeds/addresses?network=ethereum If future added LST's oracles won't be the same 18 decimals as rsETH then rsethAmountToMint will be calculated incorrect and will lead to lose of funds. Chailink oracle can report different decimals for different tokens. Usage of hardcoded decimals is incorrect because new LST tokens can be added in future by addNewSupportedAsset() function.
Manual review
Call "function decimals() external view returns (uint8);" on asset chainlink oracle before calculations to choose which decimals precision to use
Decimal
#0 - c4-pre-sort
2023-11-16T03:13:34Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2023-11-16T03:13:56Z
raymondfam marked the issue as duplicate of #97
#2 - c4-pre-sort
2023-11-17T08:01:56Z
raymondfam marked the issue as duplicate of #479
#3 - c4-judge
2023-12-01T18:01:01Z
fatherGoose1 changed the severity to 2 (Med Risk)
#4 - c4-judge
2023-12-01T18:06:27Z
fatherGoose1 marked the issue as satisfactory
#5 - c4-judge
2023-12-04T17:24:48Z
fatherGoose1 changed the severity to QA (Quality Assurance)
#6 - c4-judge
2023-12-08T18:52:16Z
fatherGoose1 marked the issue as grade-b