Back to taner2344's contests

Kelp DAO | rsETH - taner2344's results

A collective DAO designed to unlock liquidity, DeFi and higher rewards for restaked assets through liquid restaking.

General Information

Platform: Code4rena

Start Date: 10/11/2023

Pot Size: $28,000 USDC

Total HM: 5

Participants: 185

Period: 5 days

Judge: 0xDjango

Id: 305

League: ETH

Kelp DAO

Findings Distribution

Researcher Performance

Rank: 149/185

Findings: 1

Award: $2.76

QA:
grade-b

🌟 Selected for report: 0

πŸš€ Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryKelp DAO

Findings Information

🌟 Selected for report: m_Rassska

Also found by: 0x1337, 0xAadi, 0xHelium, 0xLeveler, 0xblackskull, 0xbrett8571, 0xepley, 0xffchain, 0xluckhu, 0xmystery, 0xrugpull_detector, 0xvj, ABAIKUNANBAEV, Aamir, AerialRaider, Amithuddar, Bauchibred, Bauer, CatsSecurity, Cryptor, Daniel526, Draiakoo, Eigenvectors, ElCid, GREY-HAWK-REACH, Inspecktor, Juntao, King_, LinKenji, Madalad, MaslarovK, Matin, MatricksDeCoder, McToady, Noro, PENGUN, Pechenite, Phantasmagoria, RaoulSchaffranek, SBSecurity, SandNallani, Shaheen, Soul22, Stormreckson, T1MOH, Tadev, TeamSS, TheSchnilch, Topmark, Tumelo_Crypto, Udsen, Yanchuan, ZanyBonzy, _thanos1, adeolu, adriro, alexfilippov314, almurhasan, amaechieth, anarcheuz, ayden, baice, bareli, boredpukar, bronze_pickaxe, btk, cartlex_, catellatech, chaduke, cheatc0d3, circlelooper, codynhat, crack-the-kelp, critical-or-high, debo, deepkin, desaperh, dipp, eeshenggoh, evmboi32, ge6a, gesha17, glcanvas, gumgumzum, hals, hihen, hunter_w3b, jasonxiale, joaovwfreire, ke1caM, leegh, lsaudit, marchev, merlinboii, niser93, osmanozdemir1, paritomarrr, passion, pep7siup, phoenixV110, pipidu83, poneta, ro1sharkm, rouhsamad, rvierdiiev, sakshamguruji, seerether, shealtielanz, soliditytaker, spark, squeaky_cactus, stackachu, supersizer0x, tallo, taner2344, turvy_fuzz, twcctop, ubl4nk, wisdomn_, xAriextz, zach, zhaojie, zhaojohnson, ziyou-

Awards

2.7592 USDC - $2.76

Labels

bug
downgraded by judge
grade-b
insufficient quality report
QA (Quality Assurance)
duplicate-116
Q-101

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTConfig.sol#L94-L104 https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTDepositPool.sol#L56-L58

Vulnerability details

Impact

On LRTConfig contract The method updateAssetDepositLimit is compromising protocol availability on LRTConfig contract by locking the depositAsset method in an unwanted way.

Proof of Concept

On LRTConfig contract , The method updateAssetDepositLimit is coordinating and preventing exceeding deposits to the protocol through depositLimitByAsset state variable.

On LRTConfig contract L94-L104 :

    function updateAssetDepositLimit(   
	address asset,
        uint256 depositLimit
    ) external onlyRole(LRTConstants.MANAGER) onlySupportedAsset(asset) {
        depositLimitByAsset[asset] = depositLimit;
        emit AssetDepositLimitUpdate(asset, depositLimit);
    }

On the other hand , on LRTDepositPool contract limit of asset that will deposited is calculating as follow:

on LRTDepositPool contract L56-L58 :

 function getAssetCurrentLimit(address asset) public view override returns (uint256) {
        return lrtConfig.depositLimitByAsset(asset) - getTotalAssetDeposits(asset);
    }

As you can see , while calculating getAssetCurrentLimit getTotalAssetDeposits subtracts from depositLimitByAsset(asset) variable. Note that getTotalAssetDeposits value. should not be higher than lrtConfig.depositLimitByAsset(asset) .

Nevertheless, on the detail of getTotalAssetDeposits method :


function getTotalAssetDeposits(address asset) public view override returns (uint256 totalAssetDeposit) {
        (uint256 assetLyingInDepositPool, uint256 assetLyingInNDCs, uint256 assetStakedInEigenLayer) =
            getAssetDistributionData(asset);
        return (assetLyingInDepositPool + assetLyingInNDCs + assetStakedInEigenLayer);
    }

It is clear that getTotalAssetDeposits mostly representing amount of ETH that is controlled by other protocols. That means reducing lrtConfig.depositLimitByAsset(asset) would cause to negative value on getAssetCurrentLimit and it will revert immediately. To prevent this updateAssetDepositLimit method should not allow reducing deposit limit.

Tools Used

Manual review

On LRTConfig contract add following line between L101-L102


function updateAssetDepositLimit( 
        address asset,
        uint256 depositLimit
    ) external onlyRole(LRTConstants.MANAGER) onlySupportedAsset(asset) {

+++ require(depositLimit > depositLimitByAsset[asset] , β€œnew limit must be higher than old one β€œ);

        depositLimitByAsset[asset] = depositLimit;
        emit AssetDepositLimitUpdate(asset, depositLimit);
    }




## Assessed type

Other

#0 - c4-pre-sort

2023-11-16T02:29:54Z

raymondfam marked the issue as insufficient quality report

#1 - c4-pre-sort

2023-11-16T02:30:32Z

raymondfam marked the issue as duplicate of #116

#2 - raymondfam

2023-11-16T02:30:41Z

Intended design.

#3 - c4-judge

2023-11-29T19:14:32Z

fatherGoose1 changed the severity to QA (Quality Assurance)

#4 - c4-judge

2023-11-29T19:15:08Z

fatherGoose1 marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax Β© 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter