search

code-423n4 / 2024-07-reserve-validation

0 stars 0 forks source link

Auctioning revenue for rToken when issuance is disabled could lead to limited participation and worse pricing #203

Open c4-bot-6 opened 1 month ago

c4-bot-6 commented 1 month ago

Lines of code

https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/RevenueTrader.sol#L109-L183

Vulnerability details

Impact

For low liquidity tokens with issuance disabled auction participation and pricing would be significantly impacted

Proof of Concept

RevenueTrader.sol#L109-L183

function manageTokens(IERC20[] calldata erc20s, TradeKind[] calldata kinds)
    external
    nonReentrant
    notTradingPausedOrFrozen
{

    ...

    IAsset assetToBuy = assetRegistry.toAsset(tokenToBuy);

    ...

    for (uint256 i = 0; i < len; ++i) {

        ...

        TradeInfo memory trade = TradeInfo({
            sell: assetToSell,
            buy: assetToBuy,
            sellAmount: assetToSell.bal(address(this)),
            buyAmount: 0,
            prices: TradePrices(sellLow, sellHigh, buyLow, buyHigh)
        });

        (, TradeRequest memory req) = TradeLib.prepareTradeSell(
            trade,
            minTradeVolume,
            maxTradeSlippage
        );
        require(req.sellAmount > 1, "sell amount too low");

        tryTrade(kinds[i], req, trade.prices);
    }
}

When auctioning revenue, tokens are sold directly for the target token. In the case of the rToken revenueTrader, it would be sold directly for the rToken. If the rToken cannot be minted at the time of the auction, this could create scenarios where the auctioned tokens could sell significantly under market value.

Consider that for rTokens with disabled issuance, the auction participants are those who already own the rToken or those who can purchase them from dex liquidity. If we consider a token with poor dex liquidity, the pool becomes narrowed to only existing token holders. With such a narrow pool of users and short auction times, it is highly likely that any capable party could win the auction at the lowest possible price. Given that the worst case price accounts for selling the underlying asset at the lowest price, buying the basket at the highest price and factoring slippage, it is likely 5%+ lower than the market value of the token.

Tools Used

Manual review

Recommended Mitigation Steps

RevenueTrader#manageTokens should revert when selling revenue for rTokens if issuance is currently disabled on said rToken

Assessed type

MEV