c4-judge
commented
1 year ago 0xean marked the issue as satisfactory
Open code423n4 opened 1 year ago
c4-judge
commented
1 year ago 0xean marked the issue as satisfactory
c4-judge
commented
1 year ago 0xean marked the issue as confirmed for report
Lines of code
Vulnerability details
This issue is mitigated.
Explanation of found problem
When RebalancingManager decides to sell some assets, then RevenueTrader can create Dutch trade auction. It starts with high price and then decreases it during the time. Once the price is good for someone, then he can bid and pay for the purchased assets. Rtoken system would benefit with higher bids.
DutchTrade.bidfunction can be called at any time and it will then callorigin.settleTradefunction, which will callRevenueTrader.settleTrade, which then should callBackingManager.settleTrade. Both of this functions havenotTradingPausedOrFrozenmodifier, which will not allow to bid, when trading is paused. Because of that, RToken system will not receive the best price and someone can buy assets really cheap, when trading will be unpaused.How it was fixed
As it was proposed by warden, reserve team have removed
notTradingPausedOrFrozenmodifier fromRevenueTrader.settleTradeandBackingManager.settleTradefunction, which means that even when trading is paused, users can bid and provide good price for assets.