Open code423n4 opened 1 year ago
tbrent marked the issue as sponsor confirmed
Anticipating adding a try-catch at the start of setDistribution()
targeting RevenueTrader.distributeTokenToBuy()
i have described same thing here, but marked as mitigated
0xean marked the issue as satisfactory
0xean marked the issue as primary issue
0xean marked the issue as selected for report
Anticipating adding a try-catch at the start of
setDistribution()
targetingRevenueTrader.distributeTokenToBuy()
added here: https://github.com/reserve-protocol/protocol/blob/3.1.0/contracts/p1/Distributor.sol#L59
Lines of code
https://github.com/reserve-protocol/protocol/blob/99d9db72e04db29f8e80e50a78b16a0b475d79f3/contracts/p1/Distributor.sol#L59-L63
Vulnerability details
Mitigation does solve the issue, however there’s a wider issue here that funds aren’t distributed before set distribution is executed. Fully mitigating the issue might not be possible, as it’d require to send from the backing manager to revenue trader and sell all assets for the
tokenToBuy
. But we can at least distribute the current balance before changing the distribution.Assessed type
Other