The problem that was described by the warden, occurred in special situations, when asset was unregistered from registry, which removes it from assets list and changes registry size and then user used RToken.redeemCustom function for the basket, where that asset was present.
BasketHandler.quoteCustomRedemption function then creates erc20sAll array using current size of registry(which was decreased by unregistered token). Later, function loops through all tokens in the basket(amount of which is bigger than erc20sAll size) and finally puts them into erc20sAll array. Once len index is bigger than erc20sAll size, then this function will revert with out of bonds error.
Lines of code
Vulnerability details
This issue is mitigated.
Explanation of found problem
The problem that was described by the warden, occurred in special situations, when asset was unregistered from registry, which removes it from assets list and changes registry size and then user used
RToken.redeemCustom
function for the basket, where that asset was present.BasketHandler.quoteCustomRedemption
function then createserc20sAll
array using current size of registry(which was decreased by unregistered token). Later, function loops through all tokens in the basket(amount of which is bigger thanerc20sAll
size) and finally puts them intoerc20sAll
array. Oncelen
index is bigger thanerc20sAll
size, then this function will revert with out of bonds error.How it was fixed
Reserve team fixed this by [checking if basket token is registered in registry](https://github.com/reserve-protocol/protocol/pull/857/files#diff-da66c41f7b4b109bc1a40a5f0fec2f147da983ca2084c20b176b421338982acaR487. In case if token is unregistered, then it is removed from
_erc20s
variable in AssetRegistry, soassetRegistry().toAsset
will revert and such token will not be stored toerc20sAll
array as you can see incatch
section.