The user may lose funds if oracle returns 0 in case of incorrect operation #558
Labels
3 (High Risk)
Assets can be stolen/lost/compromised directly
bug
Something isn't working
duplicate-34
insufficient quality report
This report is not of sufficient quality
unsatisfactory
does not satisfy C4 submission criteria; not eligible for awards
Comments
c4-submissions
added
3 (High Risk)
|
raymondfam marked the issue as sufficient quality report |
c4-pre-sort
added
the
sufficient quality report
|
raymondfam marked the issue as duplicate of #32 |
|
raymondfam marked the issue as insufficient quality report |
c4-pre-sort
added
insufficient quality report
|
raymondfam marked the issue as not a duplicate |
|
raymondfam marked the issue as duplicate of #34 |
c4-judge
added
the
unsatisfactory
|
fatherGoose1 marked the issue as unsatisfactory: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L95-L110
Vulnerability details
Impact
The function LRTDepositPool.getRsETHAmountToMint() (https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L95-L110) calculates the amount of rsETH to mint for a given asset amount .
Proof of Concept
Suppose that the function, due to incorrect operation of the oracle, returned rsethAmountToMint = 0.
In the function _mintRsETH() (https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L151-L157) will be called
IRSETH(rsethToken).mint(msg.sender, rsethAmountToMint), which will receive rsethAmountToMint = 0.
Those. The user will receive 0 rsETH tokens.
At the same time, it will send depositAmount: https://github.com/code-423n4/2023-11-kelp/blob/main/src/LRTDepositPool.sol#L136
Tools Used
Manual review
Recommended Mitigation Steps
Check that rsethAmountMinted != 0
Assessed type
Invalid Validation
The text was updated successfully, but these errors were encountered: