Back to rvierdiiev's contests

Reserve contest - rvierdiiev's results

A permissionless platform to launch and govern asset-backed stable currencies.

General Information

Platform: Code4rena

Start Date: 06/01/2023

Pot Size: $210,500 USDC

Total HM: 27

Participants: 73

Period: 14 days

Judge: 0xean

Total Solo HM: 18

Id: 203

League: ETH

Reserve

Findings Distribution

Researcher Performance

Rank: 30/73

Findings: 1

Award: $258.02

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryReserve

Findings Information

🌟 Selected for report: immeas

Also found by: HollaDieWaldfee, JTJabba, hihen, rvierdiiev, unforgiven, wait

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
duplicate-267

Awards

258.0215 USDC - $258.02

External Links

Link to GitHub issue

Lines of code

https://github.com/reserve-protocol/protocol/blob/df7ecadc2bae74244ace5e8b39e94bc992903158/contracts/p1/RToken.sol#L344-L370 https://github.com/reserve-protocol/protocol/blob/df7ecadc2bae74244ace5e8b39e94bc992903158/contracts/p1/RToken.sol#L406-L418

Vulnerability details

Impact

Minting of RTokens can be blocked using cancel function.

Proof of Concept

Any user can mint RTokens using issue function. This function is allowed to mint no more than some amount of tokens per block. According to amount you want to mint it calculates vestingEnd variable. In case if you want to mint more tokens than it's allowed in 1 block then your request will be put into the queue and later when vesting block passes you can vest your tokens. What is important here is that when this vestingEnd time is calculated using whenFinished function then it's saved inside allVestAt variable. That means that next one who wants to mint tokens will be able to do that after allVestAt block is passed.

Also, any time when user has orders in the queue he can cancel it and return money. That means that no RTokens will be minted for him. Cancel function will just call refundSpan function which will return users funds. Now we need to remember our allVestAt variable which is not reset in cancel function.

This allows attacker to block minting of RTokens. 1.Attacker calls issue with big amount that can't be minted in same block(he can get a loan). For example it will take week to mint all that tokens. allVestAt is set to 1 week in future. 2.Attacker cancels his order in same tx and returns funds(now he can return them to loaner). 3.Because allVestAt is set to 1 week in future, users can't mint tokens at the moment, they need wait when 1 week will pass.

As you can see attacker can block users from issuing RTokens with no costs for him.

Tools Used

VsCode

You can add cooldown period, which user should wait after new order was created to avoid flashloans. However this doesn't solve all issue.

#0 - c4-judge

2023-01-23T16:04:15Z

0xean marked the issue as duplicate of #364

#1 - c4-judge

2023-01-23T16:04:26Z

0xean marked the issue as satisfactory

#2 - c4-judge

2023-01-23T16:04:38Z

0xean changed the severity to 2 (Med Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter