Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shortfall might be calculated incorrectly if a price value for one collateral isn't fetched correctly #200

Open
code423n4 opened this issue Jan 19, 2023 · 4 comments
Open

Shortfall might be calculated incorrectly if a price value for one collateral isn't fetched correctly #200

code423n4 opened this issue Jan 19, 2023 · 4 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-20 satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons

Comments

@code423n4
Copy link
Contributor

Lines of code

https://github.com/reserve-protocol/protocol/blob/df7ecadc2bae74244ace5e8b39e94bc992903158/contracts/p1/mixins/RecollateralizationLib.sol#L449

Vulnerability details

Impact

Function price() of an asset doesn't revert. It returns values (0, FIX_MAX) for low, high values of price in case there's a problem with fetching it. Code that calls price() is able to validate returned values to detect that returned price is incorrect.

Inside function collateralShortfall() of RecollateralizationLibP1 collateral price isn't checked for correctness. As a result incorrect value of shortfall might be calculated if there are difficulties to fetch a price for one of the collaterals.

Proof of Concept

Recommended Mitigation Steps

Check that price is correctly fetched for a collateral.
@code423n4 code423n4 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Jan 19, 2023
code423n4 added a commit that referenced this issue Jan 19, 2023
@code423n4
severity issue #200
620c7c5
@0xean
Copy link

0xean commented Jan 24, 2023

Mitigation here is a little challenging to understand considering checking a price is hard on chain and hence the concern.

I think this issue is a bit too general, but would like further comments.

@c4-judge
Copy link
Contributor

0xean marked the issue as satisfactory

@c4-judge c4-judge added the satisfactory satisfies C4 submission criteria; eligible for awards label Jan 24, 2023
@tbrent
Copy link

tbrent commented Jan 26, 2023

I think this issue is real, but it happens in a super-corner-case that I doubt the warden is thinking about.

Some related statements:

  • prepareRecollateralizationTrade checks that all collateral in the basket is SOUND before calling collateralShortfall
  • From docs/collateral.md: "Should return (0, FIX_MAX) if pricing data is unavailable or stale."

collateralShortfall should never reach a collateral with FIX_MAX high price in the normal flow of things.

But, it is possible for one RToken system instance to have an RTokenAsset registered for a 2nd RToken. In this case, it could be that RToken 2 contains a collateral plugin that is now connected to a broken oracle, but RToken 2 may not have recognized this yet. When RToken 1 calls RTokenAsset.price(), it could end up reverting because of overflow in this line from collateralShortfall:

shortfall = shortfall.plus(needed.minus(held).mul(priceHigh, CEIL));

So I think it's a real issue, and I would even leave it as Medium severity.

@c4-sponsor
Copy link

tbrent marked the issue as sponsor acknowledged

@c4-sponsor c4-sponsor added the sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons label Jan 26, 2023
@tbrent tbrent mentioned this issue Jan 30, 2023
Merged
@C4-Staff C4-Staff added selected for report This submission will be included/highlighted in the audit report M-20 labels Feb 10, 2023
This was referenced Feb 16, 2023
Open
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working M-20 satisfactory satisfies C4 submission criteria; eligible for awards selected for report This submission will be included/highlighted in the audit report sponsor acknowledged Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@tbrent @0xean @code423n4 @c4-judge @c4-sponsor @C4-Staff