rvierdiiev data for issue #28

data/rvierdiiev-Q.md

@@ -0,0 +1,20 @@
+## #1. BasketHandler.warmupPeriod can be changed, when basket is in warm up period
+
+## Impact
+BasketHandler.warmupPeriod can be changed, when basket is in warm up period, which will allow another contracts to call basket handler.
+
+## Proof of Concept
+`BasketHandler.isReady` function is used by another components to check if it's possible to communicate with basket handler.
+https://github.com/reserve-protocol/protocol/blob/c4ec2473bbcb4831d62af55d275368e73e16b984/contracts/p1/BasketHandler.sol#L261-L265
+```solidity
+    function isReady() external view returns (bool) {
+        return
+            status() == CollateralStatus.SOUND &&
+            (block.timestamp >= lastStatusTimestamp + warmupPeriod);
+    }
+```
+As you can see `warmupPeriod` period is needed to wait [after basket status changed](https://github.com/reserve-protocol/protocol/blob/c4ec2473bbcb4831d62af55d275368e73e16b984/contracts/p1/BasketHandler.sol#L154).
+The problem that owner [can change `warmupPeriod`](https://github.com/reserve-protocol/protocol/blob/c4ec2473bbcb4831d62af55d275368e73e16b984/contracts/p1/BasketHandler.sol#L492-L496) period any time. And in case if warmup has already started before it will rewrite it.
+
+## Recommended Mitigation Steps
+You need to store time, where warmup will be finished instead of using `warmupPeriod` check.