Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

getRSETHPrice can return wrong price and let users mint at a different rate. #223

Closed
c4-submissions opened this issue Nov 13, 2023 · 10 comments
Closed

getRSETHPrice can return wrong price and let users mint at a different rate. #223

c4-submissions opened this issue Nov 13, 2023 · 10 comments
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-215 grade-b QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards

Comments

@c4-submissions
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTOracle.sol#L52-L79
https://github.com/code-423n4/2023-11-kelp/blob/f751d7594051c0766c7ecd1e68daeb0661e43ee3/src/LRTOracle.sol#L46

Vulnerability details

Impact

getRSETHPrice can return wrong price and let users mint at a different rate.

Proof of Concept

  • Let's take a look at the getRSETHPrice function
function getRSETHPrice() external view returns (uint256 rsETHPrice) {
    address rsETHTokenAddress = lrtConfig.rsETH();
    uint256 rsEthSupply = IRSETH(rsETHTokenAddress).totalSupply();

    if (rsEthSupply == 0) {
        return 1 ether;
    }

    uint256 totalETHInPool;
    address lrtDepositPoolAddr = lrtConfig.getContract(LRTConstants.LRT_DEPOSIT_POOL);

    address[] memory supportedAssets = lrtConfig.getSupportedAssetList();
    uint256 supportedAssetCount = supportedAssets.length;

    for (uint16 asset_idx; asset_idx < supportedAssetCount;) {
        address asset = supportedAssets[asset_idx];
        uint256 assetER = getAssetPrice(asset);

        uint256 totalAssetAmt = ILRTDepositPool(lrtDepositPoolAddr).getTotalAssetDeposits(asset);
        totalETHInPool += totalAssetAmt * assetER;
        
        unchecked {
            ++asset_idx;
        }
    }

    return totalETHInPool / rsEthSupply;
}
  • Let's say that the currently supported assets are cbETH, stETH and rETH.
  • Now let's look at the for-loop
for (uint16 asset_idx; asset_idx < supportedAssetCount;) {
    address asset = supportedAssets[asset_idx];
    uint256 assetER = getAssetPrice(asset);

    uint256 totalAssetAmt = ILRTDepositPool(lrtDepositPoolAddr).getTotalAssetDeposits(asset);
    totalETHInPool += totalAssetAmt * assetER;
    
    unchecked {
        ++asset_idx;
    }
}
  • It goes through all the supportedAssests (which equals 3) and calculates the value of each asset based on the current ER for the asset and the amount of the assets deposits.
  • Let's say that there are 10 ETH deposited for each asset, 10 for cbETH, 10 for stETH and 10 for rETH.
  • The totalETHInPool should result in 30 assuming the assetER retruns 1.
  • But what if assetER returns 0 for one asset due to oracle failure?
  • Let's say it returns 0 for the cbETH. Then totalETHInPool will be equal to 20 instead of 30.
  • In the end, we get the price as return totalETHInPool / rsEthSupply;
  • Now rsEthSupply should be 30 as we deposited the 30 eth and the resulting price would be 20 / 30 ~= 0.666666 ETH which is obviously wrong. (it should be 1 or very close to 1)
  • This happens due to insufficient checks for the return data of the oracle call.

Tools Used

VS Code

Recommended Mitigation Steps

Make sure to check that oracle call didn't fail and that the exchange rate is not 0

for (uint16 asset_idx; asset_idx < supportedAssetCount;) {
    address asset = supportedAssets[asset_idx];
    uint256 assetER = getAssetPrice(asset);
+   require(assetER != 0, "Oracle failure");
    
    uint256 totalAssetAmt = ILRTDepositPool(lrtDepositPoolAddr).getTotalAssetDeposits(asset);
    totalETHInPool += totalAssetAmt * assetER;
    
    unchecked {
        ++asset_idx;
    }
}

Assessed type

Invalid Validation
@c4-submissions c4-submissions added 3 (High Risk) Assets can be stolen/lost/compromised directly bug Something isn't working labels Nov 13, 2023
c4-submissions added a commit that referenced this issue Nov 13, 2023
@c4-submissions
evmboi32 issue #223
2831c73
@c4-pre-sort c4-pre-sort added the sufficient quality report This report is of sufficient quality label Nov 16, 2023
@c4-pre-sort
Copy link

raymondfam marked the issue as sufficient quality report

@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #32

@c4-pre-sort c4-pre-sort added duplicate-32 insufficient quality report This report is not of sufficient quality and removed sufficient quality report This report is of sufficient quality labels Nov 16, 2023
@c4-pre-sort
Copy link

raymondfam marked the issue as insufficient quality report

@c4-pre-sort
Copy link

raymondfam marked the issue as not a duplicate

@c4-pre-sort c4-pre-sort reopened this Nov 17, 2023
@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #34

@c4-pre-sort c4-pre-sort added sufficient quality report This report is of sufficient quality and removed insufficient quality report This report is not of sufficient quality labels Nov 17, 2023
@c4-pre-sort
Copy link

raymondfam marked the issue as sufficient quality report

@c4-pre-sort c4-pre-sort reopened this Nov 17, 2023
@c4-pre-sort
Copy link

raymondfam marked the issue as not a duplicate

@c4-pre-sort
Copy link

raymondfam marked the issue as duplicate of #215

@c4-judge
Copy link
Contributor

fatherGoose1 marked the issue as unsatisfactory:
Invalid

@c4-judge c4-judge added unsatisfactory does not satisfy C4 submission criteria; not eligible for awards downgraded by judge Judge downgraded the risk level of this issue and removed 3 (High Risk) Assets can be stolen/lost/compromised directly labels Nov 29, 2023
@c4-judge
Copy link
Contributor

c4-judge commented Dec 4, 2023

fatherGoose1 changed the severity to QA (Quality Assurance)

@c4-judge c4-judge added the QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax label Dec 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working downgraded by judge Judge downgraded the risk level of this issue duplicate-215 grade-b QA (Quality Assurance) Assets are not at risk. State handling, function incorrect as to spec, issues with clarity, syntax sufficient quality report This report is of sufficient quality unsatisfactory does not satisfy C4 submission criteria; not eligible for awards
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@c4-judge @c4-pre-sort @C4-Staff @c4-submissions