c4-judge
commented
1 year ago 0xean marked the issue as satisfactory
Open code423n4 opened 1 year ago
c4-judge
commented
1 year ago 0xean marked the issue as satisfactory
Lines of code
Vulnerability details
This issue is mitigated.
Explanation of found problem
This issue allows attacker to disable basket when unregistering of an asset that was not in the basket. It was possible to do, by gas amount manipulation. Attacker just needs to send not enough amount of gas to execute
basketHandler.quantityfunction. This will be then caught and basket will be disabled. As result of this, basket was disabled, which paused some system actions and could lead to some unneeded trading losses.How it was fixed
Reserve team has fixed this, by ensuring, that call was provided with enough amount of gas to be able to call
basketHandler.quantity. Now it's not possible to replay attack, as code ensures, thatGAS_FOR_BH_QTYamount of gas is sent withbasketHandler.quantitycall.