The AssetRegistry contract does not have a mechanism to detect or prevent the registration of double-entry point tokens (also known as proxy tokens). This could allow the same underlying asset to be registered multiple times with different addresses, potentially leading to incorrect accounting and vulnerabilities in the protocol's economic model.
The current implementation checks for duplicates based solely on the ERC20 token address, which is insufficient for detecting proxy tokens that can have multiple entry points representing the same underlying asset.
Impact
Double Counting: Assets could be counted twice in the system, inflating the perceived total value of registered assets.
Incorrect Balance Calculations: The protocol might overestimate the available balance of certain assets.
Potential Double Spending: During issuance or redemption of RTokens, users might be able to exploit this to receive more assets than they should.
Proof of Concept
require(
!_erc20s.contains(address(asset.erc20())) || assets[asset.erc20()] == asset,
"duplicate ERC20 detected"
);
registered = _registerIgnoringCollisions(asset);
}
function _registerIgnoringCollisions(IAsset asset) private returns (bool swapped) {
IERC20Metadata erc20 = asset.erc20();
if (_erc20s.contains(address(erc20))) {
if (assets[erc20] == asset) return false;
else emit AssetUnregistered(erc20, assets[erc20]);
} else {
_erc20s.add(address(erc20));
}
assets[erc20] = asset;
emit AssetRegistered(erc20, asset);
// Refresh to ensure it does not revert, and to save a recent lastPrice
asset.refresh();
return true;
}
This code only checks if the exact ERC20 address is already registered. It doesn't account for proxy tokens that could have multiple addresses representing the same underlying asset.
A malicious actor or even an unknowing user could register the same proxy token twice using different addresses, bypassing the duplicate check.
Tools Used
Manual code review
Recommended Mitigation Steps
Unique Asset Identification: Implement a mechanism to ensure that assets are identified based on their underlying logic or characteristics, rather than solely by their ERC20 address. This could involve checking the implementation address in the case of proxies or using a hash of the underlying logic.
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/AssetRegistry.sol#L201-L252
Vulnerability details
Vulnerability Description
The AssetRegistry contract does not have a mechanism to detect or prevent the registration of double-entry point tokens (also known as proxy tokens). This could allow the same underlying asset to be registered multiple times with different addresses, potentially leading to incorrect accounting and vulnerabilities in the protocol's economic model.
The current implementation checks for duplicates based solely on the ERC20 token address, which is insufficient for detecting proxy tokens that can have multiple entry points representing the same underlying asset.
Impact
Proof of Concept
This code only checks if the exact ERC20 address is already registered. It doesn't account for proxy tokens that could have multiple addresses representing the same underlying asset.
A malicious actor or even an unknowing user could register the same proxy token twice using different addresses, bypassing the duplicate check.
Tools Used
Manual code review
Recommended Mitigation Steps
Assessed type
Other