c4-judge
commented
1 year ago 0xean marked the issue as satisfactory
Closed code423n4 closed 1 year ago
c4-judge
commented
1 year ago 0xean marked the issue as satisfactory
c4-judge
commented
1 year ago 0xean marked the issue as unmitigated
c4-judge
commented
1 year ago 0xean marked the issue as new finding
0xean
commented
1 year ago @C4-Staff - I am unable to do so, but can you please mark this as a duplicate of #36
c4-sponsor
commented
1 year ago captainmangoC4 marked the issue as duplicate of #36
liveactionllama
commented
1 year ago Note: the two labels above were added by C4 staff on behalf of the judge.
c4-judge
commented
1 year ago 0xean marked the issue as unmitigated
c4-judge
commented
1 year ago 0xean marked the issue as new finding
Lines of code
Vulnerability details
This issue is mitigated, but partly.
Explanation of found problem
This issue was raised by me and has several points to check. One of the points occurs when distribution is changed when funds that should be distributed are in the
RevenueTraderor are currently trading in the auction. So i have provided example, when distribution will be changed to 0 which will make funds to be stucked inRevenueTrader. This part was fixed by sponsor as they provided additional functionreturnTokens, which allows to return tokens to BackingManager in case if distribution is 0.Another point that i have raised in the report, was not fair distribution in case of changing. This part was not addressed by sponsor. When distribution is changing, then
forwardRevenueshould be called before, in order to fairly distribute revenue to RToken RevenueTrader and RSR RevenueTrader. This should guarantee that correct amount of funds will be distributed for the previous period.As recommendation, i would call
forwardRevenuebefore changing distribution(maybe in try/catch). But i understand that it's not easy fix(adds dependency for distributor) and maybe not worth it.