grantRTokenAllowance function in the BackingManager contract is reverting for registered ERC20 tokens due to an incorrect isRegistered check in the AssetRegistry contract. This will cause the RToken contract to unexpectedly fail to receive allowances for registered tokens, impacting the system's ability to manage and trade these assets as the BackingManager will be unable to grant the necessary allowances.
Root Cause
In the BackingManager contract, the grantRTokenAllowance function is responsible for granting the RToken contract allowance to spend registered ERC20 tokens held by the BackingManager. However, there is an issue with the isRegistered check performed on the input erc20 token address: BackingManager.sol#L64-L74
The isRegistered function in AssetRegistry contract is returning false for registered tokens, causing the require statement in grantRTokenAllowance to revert unexpectedly.
Impact
The RToken contract suffers from an inability to receive allowances for registered ERC20 tokens. This prevents the RToken from being able to manage and trade these assets as expected, potentially leading to system instability and loss of functionality.
Proof of Concept
Pre-conditions
The AssetRegistry contract is initialized with a set of registered ERC20 tokens.
The BackingManager contract is initialized and linked to the AssetRegistry.
Steps
Call grantRTokenAllowance(registeredERC20) on the BackingManager contract, passing a registered ERC20 token address.
The require(assetRegistry.isRegistered(erc20), "erc20 unregistered") statement in BackingManager.sol:70 unexpectedly reverts.
The RToken contract fails to receive the necessary allowance for the registered token.
Tools Used
Manual code review
Recommended Mitigation Steps
The isRegistered function in the AssetRegistry contract should correctly return true for registered ERC20 tokens.
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/BackingManager.sol#L69-L75 https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/AssetRegistry.sol#L142-L144 https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/BackingManager.sol#L70
Vulnerability details
grantRTokenAllowance function in the BackingManager contract is reverting for registered ERC20 tokens due to an incorrect isRegistered check in the
AssetRegistrycontract. This will cause the RToken contract to unexpectedly fail to receive allowances for registered tokens, impacting the system's ability to manage and trade these assets as theBackingManagerwill be unable to grant the necessary allowances.Root Cause
In the
BackingManagercontract, thegrantRTokenAllowancefunction is responsible for granting theRTokencontract allowance to spend registered ERC20 tokens held by theBackingManager. However, there is an issue with theisRegisteredcheck performed on the inputerc20token address: BackingManager.sol#L64-L74The
isRegisteredfunction inAssetRegistrycontract is returningfalsefor registered tokens, causing therequirestatement ingrantRTokenAllowanceto revert unexpectedly.Impact
The
RTokencontract suffers from an inability to receive allowances for registered ERC20 tokens. This prevents theRTokenfrom being able to manage and trade these assets as expected, potentially leading to system instability and loss of functionality.Proof of Concept
Pre-conditions
AssetRegistrycontract is initialized with a set of registered ERC20 tokens.BackingManagercontract is initialized and linked to theAssetRegistry.Steps
grantRTokenAllowance(registeredERC20)on theBackingManagercontract, passing a registered ERC20 token address.require(assetRegistry.isRegistered(erc20), "erc20 unregistered")statement in BackingManager.sol:70 unexpectedly reverts.RTokencontract fails to receive the necessary allowance for the registered token.Tools Used
Manual code review
Recommended Mitigation Steps
The isRegistered function in the
AssetRegistrycontract should correctly return true for registered ERC20 tokens.Assessed type
Other