The issueTo() function in the RTokenP1 contract (RToken.sol:105-155) does not prevent multiple issuances with the same parameters within a single transaction or block. This can lead to an incorrect increase in the recipient's balance.
Impact
If the issueTo() function is called multiple times with the same parameters within a single transaction or block, the recipient's balance will be incorrectly increased by the issued amount multiple times. The recipient's balance should only be increased by the issued amount once.
Proof of Concept
Alice calls the issueTo() function with the following parameters:
recipient: Bob's address
amount: 100 tokens
Within the same transaction or block, Alice calls the issueTo() function again with the same parameters:
recipient: Bob's address
amount: 100 tokens
The issueTo() function performs the necessary checks and effects, including updating the recipient's balance and the total supply: RToken.sol:146
// == Interactions: Create RToken + transfer tokens to BackingManager ==
_scaleUp(recipient, amtBaskets, supply);
// ^--: No protection against multiple issuances with the same parameters
Since there is no protection against multiple issuances with the same parameters, Bob's balance is incorrectly increased by 200 tokens (2 * 100) instead of the expected 100 tokens.
Tools Used
Manual review
Recommended Mitigation Steps
Modify the issueTo() function to be idempotent, meaning that multiple calls with the same parameters would have the same effect as a single call. This can be achieved by using a mapping to track the issuances and their corresponding parameters, and only performing the issuance if it hasn't been done before.
Lines of code
https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/RToken.sol#L145-L146 https://github.com/code-423n4/2024-07-reserve/blob/3f133997e186465f4904553b0f8e86ecb7bbacbf/contracts/p1/RToken.sol#L105-L155
Vulnerability details
The
issueTo()
function in theRTokenP1
contract (RToken.sol:105-155) does not prevent multiple issuances with the same parameters within a single transaction or block. This can lead to an incorrect increase in the recipient's balance.Impact
If the
issueTo()
function is called multiple times with the same parameters within a single transaction or block, the recipient's balance will be incorrectly increased by the issued amount multiple times. The recipient's balance should only be increased by the issued amount once.Proof of Concept
Alice calls the
issueTo()
function with the following parameters:recipient
: Bob's addressamount
: 100 tokensWithin the same transaction or block, Alice calls the
issueTo()
function again with the same parameters:recipient
: Bob's addressamount
: 100 tokensThe
issueTo()
function performs the necessary checks and effects, including updating the recipient's balance and the total supply: RToken.sol:146Since there is no protection against multiple issuances with the same parameters, Bob's balance is incorrectly increased by 200 tokens (2 * 100) instead of the expected 100 tokens.
Tools Used
Manual review
Recommended Mitigation Steps
Modify the
issueTo()
function to be idempotent, meaning that multiple calls with the same parameters would have the same effect as a single call. This can be achieved by using a mapping to track the issuances and their corresponding parameters, and only performing the issuance if it hasn't been done before.Assessed type
Reentrancy