c4-judge
commented
1 year ago 0xean marked the issue as satisfactory
Open code423n4 opened 1 year ago
c4-judge
commented
1 year ago 0xean marked the issue as satisfactory
Lines of code
Vulnerability details
This issue is mitigated.
Explanation of found problem
The problem that was described by the warden, occurred in special situations, when asset was unregistered from registry, which removes it from assets list and changes registry size and then user used
RToken.redeemCustomfunction for the basket, where that asset was present.BasketHandler.quoteCustomRedemptionfunction then createserc20sAllarray using current size of registry(which was decreased by unregistered token). Later, function loops through all tokens in the basket(amount of which is bigger thanerc20sAllsize) and finally puts them intoerc20sAllarray. Oncelenindex is bigger thanerc20sAllsize, then this function will revert with out of bonds error.How it was fixed
Reserve team fixed this by [checking if basket token is registered in registry](https://github.com/reserve-protocol/protocol/pull/857/files#diff-da66c41f7b4b109bc1a40a5f0fec2f147da983ca2084c20b176b421338982acaR487. In case if token is unregistered, then it is removed from
_erc20svariable in AssetRegistry, soassetRegistry().toAssetwill revert and such token will not be stored toerc20sAllarray as you can see incatchsection.