M-06 MitigationConfirmed #33
Labels
Comments
|
thereksfour marked the issue as satisfactory |
c4-judge
added
the
satisfactory
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Lines of code
Vulnerability details
Lines of code
https://github.com/reserve-protocol/protocol/blob/9ee60f142f9f5c1fe8bc50eef915cf33124a534f/contracts/plugins/assets/curve/CurveStableMetapoolCollateral.sol#L83-L86
https://github.com/reserve-protocol/protocol/blob/9ee60f142f9f5c1fe8bc50eef915cf33124a534f/contracts/plugins/assets/curve/CurveStableCollateral.sol#L74-L98
Vulnerability details
An issue was identified within
CurveStableMetapoolCollateral.tryPrice()where a critical deviation in the price was observed when the price oracle associated with thepairedTokenunderwent a timeout scenario. This led to a huge but legitimate high price being returned, which could potentially impact the reward trade and rebalance auction mechanisms within the protocol.Mitigation
PR #917
The sponsor acknowledged the presented issue and implemented the suggested changes to propagate
FIX_MAX. However, it was decided against making changes where (>0,FIX_MAX) becomes valid.The code was revised to address the issue, primarily by removing the try-catch block in
CurveStableMetapoolCollateral.tryPrice()and revising the approach to calculateaumHighreturned by_metapoolBalancesValue().Conclusion
The proposed mitigation was effectively implemented, resolving the potential vulnerability associated with the high price return in
CurveStableMetapoolCollateral.tryPrice()during oracle timeout scenarios. The sponsor’s timely action in revising the code ensures enhanced robustness and accuracy in the price calculation within the protocol.The text was updated successfully, but these errors were encountered: