c4-judge
commented
1 year ago thereksfour marked the issue as satisfactory
Open c4-submissions opened 1 year ago
c4-judge
commented
1 year ago thereksfour marked the issue as satisfactory
Lines of code
Vulnerability details
Lines of code
https://github.com/reserve-protocol/protocol/blob/9ee60f142f9f5c1fe8bc50eef915cf33124a534f/contracts/plugins/assets/curve/CurveStableRTokenMetapoolCollateral.sol#L46-L54 https://github.com/reserve-protocol/protocol/blob/9ee60f142f9f5c1fe8bc50eef915cf33124a534f/contracts/plugins/assets/curve/CurveStableCollateral.sol#L119-L121 https://github.com/reserve-protocol/protocol/blob/9ee60f142f9f5c1fe8bc50eef915cf33124a534f/contracts/plugins/assets/curve/CurveStableMetapoolCollateral.sol#L122-L138
Vulnerability details
The identified vulnerability lies within the CurveStableMetapoolCollateral and affects the mechanism by which users are able to redeem their RTokens. When the price oracle for the underlying collateral of a paired RToken is offline or times out, the
RTokenAsset.pricereturns an inaccurate (low, high) price range which adversely impacts the redemption process. This leads to a halt in redemptions, potentially causing a serious run/depeg on the RToken.Mitigation
PR #917 The mitigation involves amending the
CurveStableMetapoolCollateralcontract to handle the potential overflow error and ensure accurate price reporting even during a price oracle timeout.This update, particularly the change from
uint192 mid = (low + high) / 2touint256 mid = (low + uint256(high)) / 2, allows for a safer calculation that prevents an overflow error, thus maintaining accurate price data and ensuring the redemption process remains functional even during price oracle timeouts.Conclusion
The proposed changes were implemented as outlined in the sponsor’s response. The adjusted code snippet now correctly handles potential overflow errors, enabling the redemption process to continue even during price oracle timeouts. The reported issue of users being unable to redeem RTokens based on
CurveStableRTokenMetapoolCollateralduring price oracle timeouts for any underlying collateral of paired RToken has been successfully mitigated.