tbrent
commented
1 month ago This is intentional. The change to seizeRSR was considered and we decided against making the change in favor of the lighterweight governance solution, despite it not being sufficient in all cases.
More detail on our thinking:
- In principle it is possible to overflow the 1e9 bounds from any previous rate value. Even an RToken that was just deployed can potentially have a seizure of 99.9999999% of the RSR, overflowing the rates. However, it is crucial to consider in this case that executing the dodge as the attacker results in gaining an extremely negligible amount of value. If the rate is 1:1, then the attacker can only preserve 1e-9 of their value by dodging. If the rate is 1e6, then the attacker can only preserve 1e-3 of their value by dodging.
- For cases that are between the 1e6 and 1e9 bound, there are 2 further subcases: (1) stakers notice; and (2) stakers don't notice
- If stakers notice, then they can reduce the amount of capital being staked and the
resetStakes()option can be used in the intended way. The caveats the warden pointed out related to delayed execution apply, here. - But if stakers don't notice, then the amount of capital in the staking pool may be of normal size. In this case, wiping out all stakers can be a disaster. If this were to occur on eUSD today, it would wipeout $20m of RSR stake. And this number will be much higher in the future as the protocol grows.
Also, it's actually not very obvious how to safely change seizeRSR() to reset both rates together. The breakdown occurs due to the draftRSR == 0 case, which is currently used as an indicator of an extreme rate since the rate is technically undefined.
For example: if draftRSR is 1 wei before the seizure, then any seizure amount will wipe out the drafts, and if we let it, the stakes too.
// update draftRate, possibly beginning a new draft era
if (draftRSR != 0 && totalDrafts != 0) {
// Downcast is safe: totalDrafts is 1e38 at most so expression maximum value is 1e56
draftRate = uint192((FIX_ONE_256 * totalDrafts + (draftRSR - 1)) / draftRSR);
}
if (draftRSR == 0 || draftRate > MAX_DRAFT_RATE) {
seizedRSR += draftRSR;
beginDraftEra();
}I won't claim there doesn't exist some way to change seizeRSR() to deal with this, but it was at this point that we decided the change introduces more danger than it removes. Meanwhile, the resetStakes() function is most likely sufficient, as the cases where lots of value could be gained by a dodging attacker are also the cases where resetStakes() could be used, because the rate was already nearby the 1e9 bounds.
c4-judge
We found the finding M-05: Users can dodge losses due to StRSR era changes with instant operations only partially mitigated.
The root cause of the original finding is that:
Both these aspects are still present in the code. We acknowledge that allowing governance to reset both rates together decreases the likelihood of a single bucket resetting without the other. However, the reason why this finding was judged as Medium severity, that is, quoting the judge:
still applies in full. The likelihood is lowered, but the fix relies solely on a Governance action, which may not be able to come in time due to its organic voting period and subsequent timelock execution.
For the issue to be mitigated in full, we recommend changing the
seizeRSRlogic to reset both rates whenever one passes its safe zone: this way, even if Governance doesn't (or can't) act with aresetStakescall, the attack is never possible.