c4-sponsor
commented
1 year ago tbrent marked the issue as disagree with severity
Open code423n4 opened 1 year ago
c4-sponsor
commented
1 year ago tbrent marked the issue as disagree with severity
c4-sponsor
commented
1 year ago tbrent marked the issue as sponsor confirmed
tbrent
commented
1 year ago Agree with warden that this is an issue, but we think it is low severity since the newly set caps will be applied to restrict the throttle.
We expect to make a change to accumulate the throttle in set*ThrottleParams().
c4-judge
commented
1 year ago 0xean changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/reserve-protocol/protocol/blob/c4ec2473bbcb4831d62af55d275368e73e16b984/contracts/p1/RToken.sol#L444-L459
Vulnerability details
Impact
RToken.setIssuanceThrottleParams and RToken.setRedemptionThrottleParams doesn't update lastTimestamp for the limiter. As result, next call to
Throttle.useAvailablewill calculate available amount incorrectly.Proof of Concept
RToken has issuance throttle and redemption throttle, which should restrict amount that can be used by user on hourly basis. https://github.com/reserve-protocol/protocol/blob/c4ec2473bbcb4831d62af55d275368e73e16b984/contracts/libraries/Throttle.sol#L67-L75
As you can see, available amount depends on
throttle.lastTimestamp, when available amount was calculated for the last time.Params for the throttle can be changed by governance. In this case, calculations will use new
amtRateandpctRate. But because,throttle.lastTimestampis not updated, that means that this new values will affect older time as well, which is incorrect.Tools Used
VsCode
Recommended Mitigation Steps
You need to update
throttle.lastTimestampwhen change params. Maybe calluseAvailablein order to do that.Assessed type
Error