search

code-423n4 / 2023-02-reserve-mitigation-contest-findings

1 stars 0 forks source link

Mitigation Confirmed for Mitigation of M-20: Issue mitigated #21

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Link to finding

https://github.com/code-423n4/2023-01-reserve-findings/issues/200

Mitigation Review

The report by the warden is very general.

And it is not correct in the general sense.

Recollateralization can only occur when the basket is SOUND which means that no collateral in the basket has a price of FIX_MAX.

tbrent brought up the following edge case:

Link

But, it is possible for one RToken system instance to have an RTokenAsset registered for a 2nd RToken. In this case, it could be that RToken 2 contains a collateral plugin that is now connected to a broken oracle, but RToken 2 may not have recognized this yet. When RToken 1 calls RTokenAsset.price(), it could end up reverting because of overflow in this line from collateralShortfall

This is not possible. And tbrent already confirmed to me that it is not possible. It is because RTokenAsset is not a collateral.

There does not exist a collateral that is based on an RToken.

So an RToken cannot be backed by another RToken.

Therefore the issue is not valid.

I only submit this as mitigated because there is no other option in the reporting functionality.

c4-judge commented 1 year ago

0xean marked the issue as satisfactory