Furnace would melt less than intended #37
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
MR-M-04
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Lines of code
https://github.com/reserve-protocol/protocol/blob/99d9db72e04db29f8e80e50a78b16a0b475d79f3/contracts/p1/Furnace.sol#L92-L105
Vulnerability details
We traded one problem with another here
The original issue was that in case
melt()
fails then the distribution would use the new rate for previous periods as well.The issue now is that in case of a failure (e.g. paused or frozen) we simply don’t melt for the previous period. Meaning RToken holders would get deprived of the melting they’re supposed to get.
This is esp. noticeable when the ratio has been decreased and the balance didn’t grow much, in that case we do more harm than good by updating
lastPayout
andlastPayoutBal
.A better mitigation might be to update the
lastPayout
in a way that would reflect the melting that should be distributed.Assessed type
Other
The text was updated successfully, but these errors were encountered: