Closed c4-bot-9 closed 1 month ago
@thereksfour Here compromiseBasketsNeeded(basketsHeld.bottom)
is never reached since doTrade
is always true due to the assertion in prepareRecollateralizationTrade
function. So it caused protocol to a insolvent mode.
https://github.com/code-423n4/2024-07-reserve-findings/issues/69#issuecomment-2303349346
The early return in RecollateralizationLib.prepareRecollateralizationTrade ensures the haircut occurs when the only remaining trade is below the minTradeVolume.
function prepareRecollateralizationTrade(TradingContext memory ctx, Registry memory reg) external view returns ( bool doTrade, TradeRequest memory req, TradePrices memory prices ) { // Compute a target basket range for trading - {BU} // The basket range is the full range of projected outcomes for the rebalancing process BasketRange memory range = basketRange(ctx, reg);
// Select a pair to trade next, if one exists
TradeInfo memory trade = nextTradePair(ctx, reg, range);
// Don't trade if no pair is selected
if (address(trade.sell) == address(0) || address(trade.buy) == address(0)) {
return (false, req, prices);
}
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/p1/BackingManager.sol#L170 https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/p1/mixins/RecollateralizationLib.sol#L75
Vulnerability details
Vulnerability details
The
haircut
method implemented in theBackingManager.sol
contract is designed to manage the situation where the actual basket holdings of the contract do not meet the required basket composition(basketsNeeded
). When theBackingManager
detects that the baskets held by the contract are insufficient to meet thebasketsNeeded
(i.e., the contract is undercollateralized), it enters a "haircut" mode. But here haircut mode is never reached. So it caused protocol to a insolvent mode.Proof of Concept
In the
rebalance
function its invoked prepareRecollateralizationTrade.In
prepareRecollateralizationTrade
function its checked doTrade as always true.That's mean its always executing this if statement in rebalance function not reaching to this else part.
Impact
This Haircut mechanism is crucial for maintaining the integrity and stability of the system, ensuring that protocol is overcollateralized. If its cannot call
compromiseBasketsNeeded
function eventually protocol is going to be insolvent state.Tools Used
Manual Review
Recommended Mitigation Steps
Remove this assert(doTrade) so that it can be invoked
compromiseBasketsNeeded
as needed.Assessed type
Other