Closed c4-bot-1 closed 1 month ago
hey @thereksfour, thank so much for your judgin
I want to take a look of this issue, there is a unsafe rounding issue that is not been handling well that allow manipulate basketsNeeded which is an is a important variables in the system used in the basketHandler, backingManager and the Rtoken manipulated.
amtBaskets is used to calculate the collateral tokens sent to the user. In this case, the user burned more rtokens and got back fewer collateral tokens. This is by design. And basketsNeeded is not manipulated. It should be said that the attacker's "donation" makes rtoken worth more collateral tokens.
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/RToken.sol#L508
Vulnerability details
we all now that solidity does not support float values does why division always round to the lower decimals. projects also have to round in favor of the project. In this case of reserve protocol there is a instance that can be exploited. Let see the
_scaleDown
function which is called by the redeems functions:[Link]
As you can see the
amtBaskets
is rounding down this allow an attacker to burn a low amount of tokens but not decrement the basket need.An attacker can do the next scenario:
rtokens
increasing thebasketsNeeded
. 2, redeem a low amount of token burning his amount but not decreasing thebasketsNeeded
doing this in a loop until he burn all his rtokens.basketsNeeded
Impact
basketsNeeded
is a important variables in the system used in thebasketHandler
,backingManager
and the sameRtoken
manipulated this variables could lead to DoS, incorrect calculations and stealing funds. An example could be rebalance function in thebackingManager
which have the require belowProof of Concept
See the
_scaleDown
:[Link]
The
amtBaskets
is rounding to floor.Tools Used
Manual
Recommended Mitigation Steps
Consider check if the
amtBaskets
rounded to 0 if that is the case then revert:Assessed type
Other