Platform: Code4rena
Start Date: 10/11/2023
Pot Size: $28,000 USDC
Total HM: 5
Participants: 185
Period: 5 days
Judge: 0xDjango
Id: 305
League: ETH
Rank: 98/185
Findings: 2
Award: $7.42
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: Krace
Also found by: 0xDING99YA, 0xrugpull_detector, Aamir, AlexCzm, Aymen0909, Banditx0x, Bauer, CatsSecurity, GREY-HAWK-REACH, Madalad, Phantasmagoria, QiuhaoLi, Ruhum, SBSecurity, SandNallani, SpicyMeatball, T1MOH, TheSchnilch, adam-idarrha, adriro, almurhasan, ast3ros, ayden, bronze_pickaxe, btk, chaduke, ck, crack-the-kelp, critical-or-high, deth, gumgumzum, jasonxiale, joaovwfreire, ke1caM, m_Rassska, mahdirostami, mahyar, max10afternoon, osmanozdemir1, peanuts, pep7siup, peter, ptsanev, qpzm, rouhsamad, rvierdiiev, spark, twcctop, ubl4nk, wisdomn_, zach, zhaojie
4.6614 USDC - $4.66
https://github.com/code-423n4/2023-11-kelp/blob/ee1154fcb6f6619cdc9aeda27503d9a2cbf6d8eb/src/LRTDepositPool.sol#L95-L110 https://github.com/code-423n4/2023-11-kelp/blob/ee1154fcb6f6619cdc9aeda27503d9a2cbf6d8eb/src/LRTDepositPool.sol#L119
LRTDepositPool is vunerable to inflation attack. Malicious can send asset token directly to dos the contract.
This issue is very similar to the well-known ERC4626 inflation attack.
Take a look at function getRSETHPrice,the price calculation formula is:
totalETHInPool / rsEthSupply.
Attack steps:
totalETHInPool = 1wei * 1e18 ,and rsEthSupply will be 1wei, so getRSETHPrice will return to 1e18, it's a normal return value.LRTDepositPool, now totalETHInPool increase to 1 ether,but rsEthSupply still is 1wei, so the getRSETHPrice will return 1e18 * 1e18 =1e36, notice the annotation of this function rsETHPrice exchange rate of RSETH, for the exchange rate, 1e36 is an extremely large value.getRsETHAmountToMint calculate the rsETH he will get.
In rsethAmountToMint = (amount * lrtOracle.getAssetPrice(asset)) / lrtOracle.getRSETHPrice();
rsethAmountToMint = 1ether * 1ether / 1e36 = 1wei , this user deposit 1 ether but gets 1 wei. So do the later depositors.manual
Add a variable to record the deposit asset to identify the direct transfer asset and deposit assset.
Oracle
#0 - c4-pre-sort
2023-11-16T19:18:35Z
raymondfam marked the issue as sufficient quality report
#1 - c4-pre-sort
2023-11-16T19:18:44Z
raymondfam marked the issue as duplicate of #42
#2 - c4-judge
2023-12-01T17:05:03Z
fatherGoose1 marked the issue as satisfactory
🌟 Selected for report: m_Rassska
Also found by: 0x1337, 0xAadi, 0xHelium, 0xLeveler, 0xblackskull, 0xbrett8571, 0xepley, 0xffchain, 0xluckhu, 0xmystery, 0xrugpull_detector, 0xvj, ABAIKUNANBAEV, Aamir, AerialRaider, Amithuddar, Bauchibred, Bauer, CatsSecurity, Cryptor, Daniel526, Draiakoo, Eigenvectors, ElCid, GREY-HAWK-REACH, Inspecktor, Juntao, King_, LinKenji, Madalad, MaslarovK, Matin, MatricksDeCoder, McToady, Noro, PENGUN, Pechenite, Phantasmagoria, RaoulSchaffranek, SBSecurity, SandNallani, Shaheen, Soul22, Stormreckson, T1MOH, Tadev, TeamSS, TheSchnilch, Topmark, Tumelo_Crypto, Udsen, Yanchuan, ZanyBonzy, _thanos1, adeolu, adriro, alexfilippov314, almurhasan, amaechieth, anarcheuz, ayden, baice, bareli, boredpukar, bronze_pickaxe, btk, cartlex_, catellatech, chaduke, cheatc0d3, circlelooper, codynhat, crack-the-kelp, critical-or-high, debo, deepkin, desaperh, dipp, eeshenggoh, evmboi32, ge6a, gesha17, glcanvas, gumgumzum, hals, hihen, hunter_w3b, jasonxiale, joaovwfreire, ke1caM, leegh, lsaudit, marchev, merlinboii, niser93, osmanozdemir1, paritomarrr, passion, pep7siup, phoenixV110, pipidu83, poneta, ro1sharkm, rouhsamad, rvierdiiev, sakshamguruji, seerether, shealtielanz, soliditytaker, spark, squeaky_cactus, stackachu, supersizer0x, tallo, taner2344, turvy_fuzz, twcctop, ubl4nk, wisdomn_, xAriextz, zach, zhaojie, zhaojohnson, ziyou-
2.7592 USDC - $2.76
addNodeDelegatorContractToQueue doesn't check nodeDelegatorContracts duplicateIt's possible to add duplicate nodes to queue, and there is no function to delete from nodeDelegatorQueue. Once duplicate node is added, duplicate node data will sum twice,this will affect the deposit logic and price calculation.
getAssetBalance should check asset is validhttps://github.com/code-423n4/2023-11-kelp/blob/ee1154fcb6f6619cdc9aeda27503d9a2cbf6d8eb/src/NodeDelegator.sol#L121 should check the input asset is valid or not
pause never gets used in this NodeDelegatorpause is defined, but never get used.
updateMaxNodeDelegatorCount, new maxNodeDelegatorCount_ should higher than current node lengthbut there is no such check
#0 - c4-pre-sort
2023-11-18T00:17:35Z
raymondfam marked the issue as insufficient quality report
#1 - c4-judge
2023-12-01T16:40:43Z
fatherGoose1 marked the issue as grade-b