You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The RTokenAsset contract within the reserve-protocol estimates the asset price by multiplying the Basket Unit (BU) price estimation with the estimation of baskets held and then dividing by the total supply. The identified issue is that both the Basket Unit (BU) and the estimation of baskets held account for a margin of error regarding price, which potentially widens the range of the price more than necessary.
This issue could lead to an inflated high price estimation and a deflated low price estimation. The identified impacts include:
Setting a lower minimum price for trading which might result in selling the asset for less than its actual value.
Preventing the sale of the asset due to lotLow falling below the minimum trade volume.
Misestimation of the basket range on the 'parent' RToken.
Mitigation
PR #916
The sponsor acknowledged the vulnerability by adding detailed comments explaining the compounding error that could arise in tryPrice(), price(), and lotPrice(), which are involved in the price calculation. Additional documentation was added explaining the potential for a larger price range due to oracleError and how it can be mitigated via RSR overcollateralization.
Conclusion
The necessary steps have been taken to address/caution the identified issue in the RTokenAsset price estimation process although no code refactoring has been implemented. Further monitoring and testing are recommended to ensure the impact is as negligible as it could have seemed.
The text was updated successfully, but these errors were encountered:
Lines of code
Vulnerability details
Lines of code
https://github.com/reserve-protocol/protocol/blob/9ee60f142f9f5c1fe8bc50eef915cf33124a534f/contracts/plugins/assets/RTokenAsset.sol#L53-L72
https://github.com/reserve-protocol/protocol/blob/9ee60f142f9f5c1fe8bc50eef915cf33124a534f/contracts/plugins/assets/RTokenAsset.sol#L100-L115
Vulnerability details
The
RTokenAsset
contract within the reserve-protocol estimates the asset price by multiplying the Basket Unit (BU) price estimation with the estimation of baskets held and then dividing by the total supply. The identified issue is that both the Basket Unit (BU) and the estimation of baskets held account for a margin of error regarding price, which potentially widens the range of the price more than necessary.This issue could lead to an inflated high price estimation and a deflated low price estimation. The identified impacts include:
lotLow
falling below the minimum trade volume.Mitigation
PR #916
The sponsor acknowledged the vulnerability by adding detailed comments explaining the compounding error that could arise in
tryPrice()
,price()
, andlotPrice()
, which are involved in the price calculation. Additional documentation was added explaining the potential for a larger price range due to oracleError and how it can be mitigated via RSR overcollateralization.Conclusion
The necessary steps have been taken to address/caution the identified issue in the RTokenAsset price estimation process although no code refactoring has been implemented. Further monitoring and testing are recommended to ensure the impact is as negligible as it could have seemed.
The text was updated successfully, but these errors were encountered: