search

code-423n4 / 2024-07-reserve-findings

5 stars 4 forks source link

Admin can't set throttle amount as zero. #90

Closed howlbot-integration[bot] closed 2 months ago

howlbot-integration[bot] commented 3 months ago

Lines of code

https://github.com/code-423n4/2024-07-reserve/tree/main/contracts/p1/RToken.sol#L452 https://github.com/code-423n4/2024-07-reserve/tree/main/contracts/p1/RToken.sol#L463

Vulnerability details

Impact

Admin can't set throttle amount as zero to solely rely on the issuance throttle rate. The same problem also exists in RToken.sol#setRedemptionThrottleParams.

Proof of Concept

RToken.sol#setIssuanceThrottleParams function is the following.

    function setIssuanceThrottleParams(ThrottleLib.Params calldata params) public governance {
452:    require(params.amtRate >= MIN_THROTTLE_RATE_AMT, "issuance amtRate too small");
        require(params.amtRate <= MAX_THROTTLE_RATE_AMT, "issuance amtRate too big");
        require(params.pctRate <= MAX_THROTTLE_PCT_AMT, "issuance pctRate too big");
        issuanceThrottle.useAvailable(totalSupply(), 0);

        emit IssuanceThrottleSet(issuanceThrottle.params, params);
        issuanceThrottle.params = params;
    }

Since constant MIN_THROTTLE_RATE_AMT = 1e18 > 0 in L452, params.amtRate can't be zero. However the docs stated that:

Must be at least 1 whole RToken. Can be set to 0 to solely rely on the issuance throttle rate.

Tools Used

Manual Review

Recommended Mitigation Steps

Modify RToken.sol#setIssuanceThrottleParams function as follows.

    function setIssuanceThrottleParams(ThrottleLib.Params calldata params) public governance {
--      require(params.amtRate >= MIN_THROTTLE_RATE_AMT, "issuance amtRate too small");
++      require(params.amtRate == 0 || params.amtRate >= MIN_THROTTLE_RATE_AMT, "issuance amtRate too small");
        require(params.amtRate <= MAX_THROTTLE_RATE_AMT, "issuance amtRate too big");
        require(params.pctRate <= MAX_THROTTLE_PCT_AMT, "issuance pctRate too big");
        issuanceThrottle.useAvailable(totalSupply(), 0);

        emit IssuanceThrottleSet(issuanceThrottle.params, params);
        issuanceThrottle.params = params;
    }

Assessed type

Error

tbrent commented 3 months ago

The docs are wrong. The docs the warden is referencing are the website docs for the 3.4.0 release.

In the 4.0.0 code we can see it is documented that the amtRate cannot be 0: https://github.com/reserve-protocol/protocol/blob/72fc1f6e41da01e733c0a7e96cdb8ebb45bf1065/contracts/libraries/Throttle.sol#L21

The website docs should be updated, but that is out-of-scope for the contest.

c4-judge commented 2 months ago

thereksfour marked the issue as unsatisfactory: Out of scope