Impact
Invalid Collateral: If invalid collateral tokens are added to the basket, it can lead to incorrect basket configurations. This could cause the protocol to malfunction, jeopardizing the stability and intended functioning of the RToken.
Duplicate Entries: If there are duplicate collateral tokens within the basket, this can skew the basket's balance and adversely affect the protocol’s stability, potentially leading to improper collateralization.
Proof of Concept
Code Reference: requireValidCollArray
solidity
Copy code
/// Require that erc20s is a valid collateral array
function requireValidCollArray(IERC20[] calldata erc20s) private view {
for (uint256 i = 0; i < erc20s.length; ++i) {
require(
erc20s[i] != rsr &&
erc20s[i] != IERC20(address(rToken)) &&
erc20s[i] != IERC20(address(stRSR)) &&
erc20s[i] != IERC20(address(0)),
"invalid collateral"
);
}
}
Proof:
The function iterates over the erc20s array to ensure that none of the elements are invalid tokens (like rsr, rToken, stRSR, or a zero address). If any invalid token is found, the function will revert with the message "invalid collateral".
It also checks for duplicates using the ArrayLib.allUnique() function. If any duplicates are found, the function will revert with the message "contains duplicates".
This ensures that only valid and unique collateral tokens are included in the basket, maintaining the integrity of the basket configuration.
Tools Used
Manual Code Review: Analyzing the logic and conditions within the requireValidCollArray function.
Static Analysis Tools: To check for potential issues like missing checks or vulnerabilities.
Recommended Mitigation Steps
Consistent Usage: Ensure that the requireValidCollArray function is called whenever collateral arrays are set, modified, or used within the protocol. This will prevent any invalid or duplicate tokens from being introduced into the basket.
Unit Tests:
Implement unit tests that cover edge cases for the requireValidCollArray function.
Test scenarios where the array contains invalid tokens (e.g., rsr, rToken, stRSR, or zero address) to confirm that the function correctly identifies and rejects these.
Test scenarios with duplicate tokens to verify that the function rejects them as well.
Proper Handling of Disabled State: Ensure that the protocol correctly handles the disabled state to avoid unintended pauses or failures. This includes verifying that all relevant conditions and states are adequately checked and managed during basket operations.
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/BasketHandler.sol#L683
Vulnerability details
Impact Invalid Collateral: If invalid collateral tokens are added to the basket, it can lead to incorrect basket configurations. This could cause the protocol to malfunction, jeopardizing the stability and intended functioning of the RToken.
Duplicate Entries: If there are duplicate collateral tokens within the basket, this can skew the basket's balance and adversely affect the protocol’s stability, potentially leading to improper collateralization.
Proof of Concept Code Reference: requireValidCollArray solidity Copy code /// Require that erc20s is a valid collateral array function requireValidCollArray(IERC20[] calldata erc20s) private view { for (uint256 i = 0; i < erc20s.length; ++i) { require( erc20s[i] != rsr && erc20s[i] != IERC20(address(rToken)) && erc20s[i] != IERC20(address(stRSR)) && erc20s[i] != IERC20(address(0)), "invalid collateral" ); }
} Proof: The function iterates over the erc20s array to ensure that none of the elements are invalid tokens (like rsr, rToken, stRSR, or a zero address). If any invalid token is found, the function will revert with the message "invalid collateral". It also checks for duplicates using the ArrayLib.allUnique() function. If any duplicates are found, the function will revert with the message "contains duplicates". This ensures that only valid and unique collateral tokens are included in the basket, maintaining the integrity of the basket configuration.
Tools Used Manual Code Review: Analyzing the logic and conditions within the requireValidCollArray function. Static Analysis Tools: To check for potential issues like missing checks or vulnerabilities. Recommended Mitigation Steps Consistent Usage: Ensure that the requireValidCollArray function is called whenever collateral arrays are set, modified, or used within the protocol. This will prevent any invalid or duplicate tokens from being introduced into the basket.
Unit Tests:
Implement unit tests that cover edge cases for the requireValidCollArray function. Test scenarios where the array contains invalid tokens (e.g., rsr, rToken, stRSR, or zero address) to confirm that the function correctly identifies and rejects these. Test scenarios with duplicate tokens to verify that the function rejects them as well. Proper Handling of Disabled State: Ensure that the protocol correctly handles the disabled state to avoid unintended pauses or failures. This includes verifying that all relevant conditions and states are adequately checked and managed during basket operations.
Assessed type
Invalid Validation