search

code-423n4 / 2023-09-reserve-mitigation-findings

0 stars 0 forks source link

M-05 MitigationConfirmed #32

Open c4-submissions opened 1 year ago

c4-submissions commented 1 year ago

Lines of code

Vulnerability details

Lines of code

https://github.com/reserve-protocol/protocol/blob/9ee60f142f9f5c1fe8bc50eef915cf33124a534f/contracts/plugins/assets/stargate/StargateRewardableWrapper.sol#L48

Vulnerability details

A vulnerability was identified within the StargateRewardableWrapper contract that could lead to the permanent lock of staked funds. The vulnerability was due to flawed deposit/withdraw/transfer logic which would revert under specific circumstances.

Mitigation

PR #896 Three key modifications were made to the smart contracts in response to the suggested recommendation:

  1. Change to StargatePoolFiatCollateral.sol: In situations where _totalSupply is 0, the _rate is now set to FIX_ONE to avoid any potential division by zero issues.

  2. Changes to StargateRewardableWrapper.sol: . _claimAssetRewards() has been modified to incorporate a conditional check for allocPoint and totalSupply() before calling stakingContract.deposit(poolId, 0). In case these conditions are not met, stakingContract.emergencyWithdraw(poolId) is called to safeguard the funds. . Modifications were also made to _afterDeposit() and _beforeWithdraw(), incorporating checks for poolInfo.allocPoint and conditionally calling stakingContract.deposit(poolId, _amount) or stakingContract.withdraw(poolId, _amount) and stakingContract.emergencyWithdraw(poolId) as necessary.

Conclusion

The changes (going beyond the suggested recommendation) made to the smart contracts successfully address the identified vulnerability, implementing a structured approach to handle emergency situations and ensuring that user funds remain accessible under all circumstances. This mitigation confirmation confirms the successful rectification of the identified issue, making the StargateRewardableWrapper and associated contracts more robust against potential adversarial actions.

c4-judge commented 12 months ago

thereksfour marked the issue as satisfactory

c4-judge commented 11 months ago

thereksfour marked the issue as nullified

c4-judge commented 11 months ago

thereksfour marked the issue as confirmed for report

c4-judge commented 11 months ago

thereksfour marked the issue as not confirmed for report

c4-judge commented 11 months ago

thereksfour marked the issue as satisfactory