H-01 MitigationConfirmed

[code423n4]

Lines of code

Vulnerability details

This issue is mitigated.

Explanation of found problem

The problem that was described by the warden, occurred in special situations, when asset was unregistered from registry, which removes it from assets list and changes registry size and then user used RToken.redeemCustom function for the basket, where that asset was present.

BasketHandler.quoteCustomRedemption function then creates erc20sAll array using current size of registry(which was decreased by unregistered token). Later, function loops through all tokens in the basket(amount of which is bigger than erc20sAll size) and finally puts them into erc20sAll array. Once len index is bigger than erc20sAll size, then this function will revert with out of bonds error.

How it was fixed

Reserve team fixed this by [checking if basket token is registered in registry](https://github.com/reserve-protocol/protocol/pull/857/files#diff-da66c41f7b4b109bc1a40a5f0fec2f147da983ca2084c20b176b421338982acaR487. In case if token is unregistered, then it is removed from _erc20s variable in AssetRegistry, so assetRegistry().toAsset will revert and such token will not be stored to erc20sAll array as you can see in catch section.

[c4-judge]

0xean marked the issue as satisfactory