Closed c4-bot-4 closed 1 month ago
only collateral in the basket will be bought
thereksfour marked the issue as unsatisfactory: Invalid
The _quantity() of an asset not in the basket will be 0, which means there is no need to buy it.
function _quantity(
IERC20 erc20,
ICollateral coll,
RoundingMode rounding
) internal view returns (uint192) {
uint192 refPerTok = coll.refPerTok();
if (refPerTok == 0) return FIX_MAX;
// {tok/BU} = {ref/BU} / {ref/tok}
return basket.refAmts[erc20].div(refPerTok, rounding);
}
You are right, sorry about the confusion and thanks for the clarification.
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/mixins/RecollateralizationLib.sol#L332-L353
Vulnerability details
Impact
Invalid assets(e.g. assets not in current basket) can be bought which will make collateralization worse.
Proof of Concept
When the protocol becomes under-collateralized, trading events happen to sell over-collateralized tokens and to buy tokens with deficient supply.
The logic to choose what tokens to buy and sell are done via
nextTradePair
function:If current balance is greater than needed collateral amount, it is considered to be chosen as token to sell. Otherwise, the asset is considered to be bought based on the deficiency.
However, when choosing token to buy, it does not check if the asset exists in current basket. This exposes a vulnerability for invalid tokens to be bought using surplus, and this will make collateralization of protocol worse.
Tools Used
Manual Review
Recommended Mitigation Steps
When choosing a token to buy, it should only look in tokens in current basket.
Assessed type
Context