Furnace would melt less than intended #37
Labels
2 (Med Risk)
Assets not at direct risk, but function/availability of the protocol could be impacted or leak value
bug
Something isn't working
MR-M-04
satisfactory
satisfies C4 submission criteria; eligible for awards
selected for report
This submission will be included/highlighted in the audit report
sponsor acknowledged
Technically the issue is correct, but we're not going to resolve it for XYZ reasons
Comments
code423n4
added
2 (Med Risk)
|
I think this can only happen when frozen, not while paused. |
c4-sponsor
added
the
sponsor acknowledged
|
tbrent marked the issue as sponsor acknowledged |
|
0xean marked the issue as satisfactory |
c4-judge
added
the
satisfactory
|
0xean marked the issue as selected for report |
c4-judge
added
the
selected for report
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
https://github.com/reserve-protocol/protocol/blob/99d9db72e04db29f8e80e50a78b16a0b475d79f3/contracts/p1/Furnace.sol#L92-L105
Vulnerability details
We traded one problem with another here
The original issue was that in case
melt()fails then the distribution would use the new rate for previous periods as well.The issue now is that in case of a failure (e.g. paused or frozen) we simply don’t melt for the previous period. Meaning RToken holders would get deprived of the melting they’re supposed to get.
This is esp. noticeable when the ratio has been decreased and the balance didn’t grow much, in that case we do more harm than good by updating
lastPayoutandlastPayoutBal.A better mitigation might be to update the
lastPayoutin a way that would reflect the melting that should be distributed.Assessed type
Other
The text was updated successfully, but these errors were encountered: