Back to Ruhum's contests

Reserve contest - Ruhum's results

A permissionless platform to launch and govern asset-backed stable currencies.

General Information

Platform: Code4rena

Start Date: 06/01/2023

Pot Size: $210,500 USDC

Total HM: 27

Participants: 73

Period: 14 days

Judge: 0xean

Total Solo HM: 18

Id: 203

League: ETH

Reserve

Findings Distribution

Researcher Performance

Rank: 40/73

Findings: 1

Award: $121.59

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryReserve

Findings Information

🌟 Selected for report: CodingNameKiki

Also found by: 0xA5DF, 0xAgro, 0xNazgul, 0xSmartContract, Aymen0909, BRONZEDISC, Bnke0x0, Breeje, Cyfrin, GalloDaSballo, HollaDieWaldfee, IceBear, IllIllI, MyFDsYours, RaymondFam, Ruhum, SaharDevep, Sathish9098, Soosh, Udsen, __141345__, brgltd, btk, carlitox477, chaduke, chrisdior4, cryptonue, delfin454000, descharre, hihen, joestakey, ladboy233, lukris02, luxartvinsec, peanuts, pedr02b2, rotcivegaf, shark, tnevler, yongskiws

Awards

121.587 USDC - $121.59

Labels

bug
downgraded by judge
grade-b
QA (Quality Assurance)
sponsor confirmed
edited-by-warden
Q-39

External Links

Link to GitHub issue

Lines of code

https://github.com/reserve-protocol/protocol/blob/master/scripts/deployment/utils.ts#L17-L19 https://github.com/reserve-protocol/protocol/blob/master/scripts/deployment/phase2-assets/1_deploy_assets.ts#L46 https://github.com/reserve-protocol/protocol/blob/master/scripts/deployment/phase2-assets/1_deploy_assets.ts#L60 https://github.com/reserve-protocol/protocol/blob/master/scripts/deployment/phase2-assets/2_deploy_collateral.ts#L48 https://github.com/reserve-protocol/protocol/blob/master/scripts/deployment/phase2-assets/2_deploy_collateral.ts#L105 https://github.com/reserve-protocol/protocol/blob/master/scripts/deployment/phase2-assets/2_deploy_collateral.ts#L526 https://github.com/reserve-protocol/protocol/blob/master/contracts/plugins/assets/OracleLib.sol#L27

Vulnerability details

Impact

The protocol implements a safety mechanism to guard against stale chainlink feeds. If the oracle's last response is more than a day ago the contract reverts. But, chainlink feeds are refreshed at set intervals (heartbeat). Most of the feeds used by the protocol on deployment are refreshed every hour instead of daily. With the current configuration, a feed that has been stale for 23 rounds (23 hours) will still be considered valid. The prices of assets are of critical value for the protocol. Minimizing the risk of using stale prices is of utmost importance. Setting the timeout to 24 hours for every chainlink feed is an unnecessary risk.

Proof of Concept

The following token feeds are refreshed every hour:

  • AAVE 0x547a514d5e3769680Ce22B2361c10Ea13619e8a9
  • COMP 0xdbd020CAeF83eFd542f4De03e3cF0C28A4428bd5
  • DAI 0xAed0c38402a5d19df6E4c03F4E2DceD6e29c1ee9
  • USDP 0x09023c0DA49Aaf8fc3fA3ADF34C6A7016D38D5e3
  • ETH 0x5f4ec3df9cbd43714fe2740f5e3616155c5b8419

The assets deployed with those feeds set oracleTimeout to 86000s, see links to affected code.

Tools Used

none

Set the oracleTimeout to a value a little higher than 3600. The oracle is not updated exactly 3600 seconds later so you have to leave a little room for error. For example, the AAVE/USD feed is updated after 3624 seconds in between rounds 55340232221128673944 and 55340232221128673945

#0 - c4-judge

2023-01-24T03:07:18Z

0xean changed the severity to QA (Quality Assurance)

#1 - c4-judge

2023-01-24T22:36:08Z

0xean marked the issue as grade-b

#2 - c4-sponsor

2023-02-07T23:47:17Z

tbrent marked the issue as sponsor confirmed

#3 - tbrent

2023-02-07T23:47:56Z

Just fyi we agree this is a good suggestion, we just weren't able to include it in time for the mitigation review.

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter