New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Custom redemption might revert if old assets were unregistered #4
Comments
I believe this to be a stretch for high severity. It has several pre-conditions to end up in the proposed state and I do believe it would be entirely possible for governance to change back to the original state (USDC, USDT, DAI), so assets wouldn't be lost and the impact would more be along the lines of a temporary denial of service. Look forward to warden and sponsor comments. |
@0xA5DF nice find! Thoughts on an alternative mitigation?
|
Hey @tbrent |
Noted, good point. |
tbrent marked the issue as sponsor confirmed |
@tbrent - do you care to comment on your thoughts on severity? I am leaning towards M on this, but it sounds like you believe it is correct as labeled (high). |
Correct, I think high is appropriate. |
0xean marked the issue as satisfactory |
Lines of code
https://github.com/reserve-protocol/protocol/blob/c4ec2473bbcb4831d62af55d275368e73e16b984/contracts/p1/BasketHandler.sol#L391-L392
Vulnerability details
quoteCustomRedemption()
works under the assumption that the maximum size of theerc20sAll
should beassetRegistry.size()
, however there can be cases where an asset was unregistered but still exists in an old basket, making the size of the old basket greater thanassetRegistry.size()
. In that case the function will revert with an index out of bounds error.Impact
Users might not be able to use
redeemCustom
when needed.I think this should be considered high severity, since being able to redeem the token at all time is an essential feature for the protocol that's allowed also while frozen.
Not being able to redeem can result in a depeg or in governance becoming malicious and stealing RToken collateral.
Proof of Concept
Consider the following scenario:
As for the revert:
erc20sAll
is created here with the length ofassetRegistry.size()
, which is 2 in our case.erc20sAll
which will result in an index-out-of-bonds error(the function doesn't include in the final results assets that aren't registered, but it does push them too into
erc20sAll
)Recommended Mitigation Steps
Allow the user to specify the length of the array
erc20sAll
to avoid this revertAssessed type
Other
The text was updated successfully, but these errors were encountered: