M-03 MitigationConfirmed

[c4-submissions]

Lines of code

Vulnerability details

Lines of code

https://github.com/reserve-protocol/protocol/blob/9ee60f142f9f5c1fe8bc50eef915cf33124a534f/contracts/plugins/assets/RTokenAsset.sol#L53-L72
https://github.com/reserve-protocol/protocol/blob/9ee60f142f9f5c1fe8bc50eef915cf33124a534f/contracts/plugins/assets/RTokenAsset.sol#L100-L115

Vulnerability details

The RTokenAsset contract within the reserve-protocol estimates the asset price by multiplying the Basket Unit (BU) price estimation with the estimation of baskets held and then dividing by the total supply. The identified issue is that both the Basket Unit (BU) and the estimation of baskets held account for a margin of error regarding price, which potentially widens the range of the price more than necessary.

This issue could lead to an inflated high price estimation and a deflated low price estimation. The identified impacts include:

1. Setting a lower minimum price for trading which might result in selling the asset for less than its actual value.
2. Preventing the sale of the asset due to lotLow falling below the minimum trade volume.
3. Misestimation of the basket range on the 'parent' RToken.

Mitigation

PR #916
The sponsor acknowledged the vulnerability by adding detailed comments explaining the compounding error that could arise in tryPrice(), price(), and lotPrice(), which are involved in the price calculation. Additional documentation was added explaining the potential for a larger price range due to oracleError and how it can be mitigated via RSR overcollateralization.

Conclusion

The necessary steps have been taken to address/caution the identified issue in the RTokenAsset price estimation process although no code refactoring has been implemented. Further monitoring and testing are recommended to ensure the impact is as negligible as it could have seemed.

[c4-judge]

thereksfour marked the issue as satisfactory