Closed c4-bot-9 closed 1 month ago
rsr will make sure to be registered, unregistering rsr will be malicious governance behavior
IAsset[] memory assets = new IAsset[](2);
assets[0] = new RTokenAsset(components.rToken, params.rTokenMaxTradeVolume);
assets[1] = rsrAsset;
// Init Asset Registry
main.assetRegistry().init(main, assets);
thereksfour marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/p1/mixins/RecollateralizationLib.sol#L358
Vulnerability details
Description
The
BackingManager
takes care of the backing of itsRToken
by constantly balancing the amounts of the respective underlying assets with trades. It tries to sell the token it has more of than necessary for the token it has less of than needed. If it does not have a good candidate token to sell, it will choose to sell theRSR
token. However, if theRSR
is not registered in theAssetRegistry
, it cannot rebalance.Proof of concept
If the respective
RToken
system does not intend to use theRSR
token as revenue or a collateral asset, the owners will not register it to theAssetRegistry
. However, if it is not registered in theAssetRegistry
, then if such a scenario as the above one occurs, theBackingManager
would be unable to rebalance due to an out-of-bounds revert here. Note that this behavior is documented for the further array accesses. Still, it should not behave this way, as it breaks core functionality.Normally, if RSR was registered but the
BackingManager
did not have enough of it, it would choose to go for the haircut (i.e., decrease the number of baskets needed). There should not be a limitation like this if the system owners do not wish to slash governance or simply do not wish to include theRSR
.Impact and likelihood
Since this issue breaks a core protocol functionality, this issue should be judged as MEDIUM severity.
Recommendation
Consider checking whether the
rsrIndex
was assigned a correct value if it should be used as the sell asset:Assessed type
Error