Closed code423n4 closed 1 year ago
0xean marked the issue as satisfactory
0xean marked the issue as unmitigated
0xean marked the issue as new finding
@C4-Staff - I am unable to do so, but can you please mark this as a duplicate of #36
captainmangoC4 marked the issue as duplicate of #36
Note: the two labels above were added by C4 staff on behalf of the judge.
0xean marked the issue as unmitigated
0xean marked the issue as new finding
Lines of code
Vulnerability details
This issue is mitigated, but partly.
Explanation of found problem
This issue was raised by me and has several points to check. One of the points occurs when distribution is changed when funds that should be distributed are in the
RevenueTrader
or are currently trading in the auction. So i have provided example, when distribution will be changed to 0 which will make funds to be stucked inRevenueTrader
. This part was fixed by sponsor as they provided additional functionreturnTokens
, which allows to return tokens to BackingManager in case if distribution is 0.Another point that i have raised in the report, was not fair distribution in case of changing. This part was not addressed by sponsor. When distribution is changing, then
forwardRevenue
should be called before, in order to fairly distribute revenue to RToken RevenueTrader and RSR RevenueTrader. This should guarantee that correct amount of funds will be distributed for the previous period.As recommendation, i would call
forwardRevenue
before changing distribution(maybe in try/catch). But i understand that it's not easy fix(adds dependency for distributor) and maybe not worth it.