The BasketHanlder.price(bool) function is used to return the price of a Basket Unit. The passed in boolean input parameter indicates whether to apply the issuance premium to the high price. The BasketHandler.price(bool) function is called in the RecollateralizationLib.basketRange function to determine the BasketRange.top and BasketRange.bottom values for a given TradingContext and AssetRegistry.
As you can see when calculating the basket unit price the issuance premium is not applied (false is passsed in). But there is a scenario where the issuance premium is applied as explained below:
The Baket can include a different RTokenCollateral (Not the RToken which the current basket maps to) as one of its collaterals. This is because when the primary basket is set only collaterals which are not allowed are rsr, rToken and stRSR as verified in the BasketHandler.requireValidCollArray function.
During the BackingManager.rebalance function the RecollateralizationLib.prepareRecollateralizationTrade is called which inturn calls the BasketHandler.basketRange function. Here the ctx.bh.price(false) is called.
Now to determine the low and high price of the Basket Unit, the BasketHandler.price(bool) function iterates through all the collaterals in the basket and calculates the low and high price of each of the collaterals as shown below:
(uint192 lowP, uint192 highP) = coll.price();
Since RTokenCollateral is also an active collateral of the Basket the RTokenAsset.price() is called which inturn calls the RTokenAsset.tryPrice function. In the tryPrice function the basketHandler.price(true) call is made which applies the issuance premium to the price of all of the collaterals which back the RTokenCollateral, as shown below:
As a result the RTokenCollateral price returned by the RTokenAsset.price() accounts for the issuancePremium if there is a depeg between the (tok/ref) of the respective collateral tokens of the RTokenCollateral. And this price which has the issuancePremium accounted for, is returned to the BasketHandler.price(bool) function.
Eventhough the quantity of the RTokenCollateral is not applied the issuancePremium (since it bool is false) its price is applied the issuancePremium as explained above. As a result when the price of the RTokenCollateral in the basket is calculated it includes the issuancePremium as shown below:
high256 += qty.safeMul(highP, CEIL);
Hence now high256 which is used to calculate the high value of the basket unit is now applied the issuancePremium for the RTokenCollateral which is not the intended behaviour since the basket unit price calculation didn't intend to include the issuancePremium for any of its collaterals since the bool false was passed in when calling the ctx.bh.price(false) via the RecollateralizationLib.basketRange function.
Since the issuancePremium is included in the above basket unit price calculation any oracle error (2%-3% either way) which occurs in savedPegPrice could result in errorneous issuancePremium calculation thus provding wrong (Higher or Lower than the accurate price) RTokenCollateral price. This will further extend to providing a wrong Basket Unit Price thus making the BasketRange.top and BasketRange.bottom values errorneous. As a result the trade.sellAmount and trade.buyAmount values of the TradeInfo struct will be inaccurate. As a result the triggerred auction trades in the BackingManager.rebalance function will have inaccurate trade parameters. This could lead to unintended behaviour such as trade auction not being initiated, basket not being properly rebalanced, trade being disadvantegeous to either the rsr staker or the RToken holder etc ...
Above issue can be aggravated if multiple RTokenCollaterals are used as active collaterals of a Basket, since issuancePremium could be applied multiple times for the respective RTokenCollaterals.
Hence it is recommended to ensure the uniformity of not including the issuancePremium when calculating the basket unit price when computing the basketRange. Hence it is recommended to ensure that RTokenAsset.tryPrice function calls the basketHandler.price function with bool false when the call is sent (msg.sender) from the BasketHandler contract. This will ensure that RTokenCollateral will not include the issuancePremium in its price calculation and as a result the basket unit price calculated in the BasketHandler.price() function will provide an accurate price value. This will in turn provide the expected BasketRange value without unexpected behavior.
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/p1/mixins/RecollateralizationLib.sol#L116 https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/p1/BasketHandler.sol#L429 https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/plugins/assets/RTokenAsset.sol#L66 https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/p1/BasketHandler.sol#L446
Vulnerability details
Impact
The
BasketHanlder.price(bool)function is used to return the price of aBasket Unit. The passed inboolean input parameterindicates whether to apply the issuance premium to the high price. TheBasketHandler.price(bool)function is called in theRecollateralizationLib.basketRangefunction to determine theBasketRange.topandBasketRange.bottomvalues for a givenTradingContextandAssetRegistry.As you can see when calculating the
basket unit pricetheissuance premiumis not applied (falseis passsed in). But there is a scenario where theissuance premiumis applied as explained below:Baketcan include a differentRTokenCollateral(Not the RToken which the current basket maps to) as one of its collaterals. This is because when the primary basket is set only collaterals which are not allowed arersr,rTokenandstRSRas verified in theBasketHandler.requireValidCollArrayfunction.BackingManager.rebalancefunction theRecollateralizationLib.prepareRecollateralizationTradeis called which inturn calls theBasketHandler.basketRangefunction. Here thectx.bh.price(false)is called.Basket Unit, theBasketHandler.price(bool)function iterates through all the collaterals in the basket and calculates thelow and highprice of each of the collaterals as shown below:RTokenCollateralis also an active collateral of theBaskettheRTokenAsset.price()is called which inturn calls theRTokenAsset.tryPricefunction. In thetryPricefunction thebasketHandler.price(true)call is made which applies theissuance premiumto the price of all of the collaterals which back theRTokenCollateral, as shown below:As a result the
RTokenCollateralprice returned by theRTokenAsset.price()accounts for theissuancePremiumif there is a depeg between the (tok/ref) of the respective collateral tokens of the RTokenCollateral. And this price which has theissuancePremiumaccounted for, is returned to theBasketHandler.price(bool)function.Eventhough the
quantityof theRTokenCollateralis not applied theissuancePremium (since it bool is false)its price is applied theissuancePremiumas explained above. As a result when the price of the RTokenCollateral in the basket is calculated it includes theissuancePremiumas shown below:Hence now
high256which is used to calculate the high value of thebasket unitis now applied theissuancePremiumfor theRTokenCollateralwhich is not the intended behaviour since thebasket unit price calculationdidn't intend to include theissuancePremiumfor any of its collaterals since thebool falsewas passed in when calling thectx.bh.price(false)via theRecollateralizationLib.basketRangefunction.Since the
issuancePremiumis included in theabove basket unit price calculationany oracle error (2%-3% either way) which occurs insavedPegPricecould result in errorneousissuancePremiumcalculation thus provding wrong (Higher or Lower than the accurate price)RTokenCollateral price. This will further extend to providing a wrongBasket Unit Pricethus making theBasketRange.topandBasketRange.bottomvalues errorneous. As a result thetrade.sellAmountandtrade.buyAmountvalues of theTradeInfostruct will be inaccurate. As a result thetriggerred auction tradesin theBackingManager.rebalancefunction will have inaccurate trade parameters. This could lead to unintended behaviour such as trade auction not being initiated, basket not being properly rebalanced, trade being disadvantegeous to either the rsr staker or the RToken holder etc ...Above issue can be aggravated if multiple
RTokenCollateralsare used as active collaterals of aBasket, sinceissuancePremiumcould be applied multiple times for the respectiveRTokenCollaterals.Proof of Concept
https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/p1/mixins/RecollateralizationLib.sol#L116
https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/p1/BasketHandler.sol#L429
https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/plugins/assets/RTokenAsset.sol#L66
https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/p1/BasketHandler.sol#L446
Tools Used
Manual Review and VSCode
Recommended Mitigation Steps
Hence it is recommended to ensure the uniformity of not including the
issuancePremiumwhen calculating thebasket unit pricewhen computing the basketRange. Hence it is recommended to ensure thatRTokenAsset.tryPricefunction calls thebasketHandler.pricefunction withbool falsewhen the call is sent (msg.sender) from theBasketHandler contract. This will ensure thatRTokenCollateralwill not include theissuancePremiumin its price calculation and as a result thebasket unit pricecalculated in theBasketHandler.price()function will provide an accurate price value. This will in turn provide the expectedBasketRangevalue without unexpected behavior.Assessed type
Other