Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-07-RESERVE-FINDINGS-ISSUES-31
HistoryAug 04, 2023 - 12:00 a.m.

RTokenAsset price estimation accounts for margin of error twice

2023-08-0400:00:00
Code4rena
github.com
3
rtokenasset
price estimation
margin of error
trading price
sell prevention
basket misestimation
vulnerability
mitigation
oracle error
proof of concept

6.9 Medium

AI Score

Confidence

Low

JSON

Lines of code
<https://github.com/reserve-protocol/protocol/blob/9ee60f142f9f5c1fe8bc50eef915cf33124a534f/contracts/plugins/assets/RTokenAsset.sol#L100-L115&gt;

Vulnerability details

RTokenAsset estimates the price by multiplying the BU (basket unit) price estimation by the estimation of baskets held (then dividing by total supply).
The issue is that both BU and baskets held account for price margin of error, widening the range of the price more than necessary.

Impact

This would increase the high estimation of the price and decrease the lower estimation.
This would impact:

  • Setting a lower min price for trading (possibly selling the asset for less than its value)
  • Preventing the sell of the asset (lotLow falling below the min trade volume)
  • Misestimation of the basket range on the ‘parent’ RToken

Proof of Concept

  • Both tryPrice() and lotPrice() use this method of multiplying basket unit price by basket range then dividing by total supply
  • BU price accounts for oracle error
  • As for the basket range - whenever one of the collaterals is missing (i.e. less than baskets needed) it estimates the value of anything above the min baskets held, and when doing that it estimates for oracle error as well.

Consider the following scenario:

  • We have a basket composed of 1 ETH token and 1 USD token (cUSDCv2)
  • cUSDCv2 defaults and the backup token AAVE-USDC kicks in
  • Before trading rebalances things we have 0 AAVE-USDC
  • This means that we’d be estimating the low price of the ETH we’re accounting for margin of error at least twice:
    • Within the basketRange() we’re dividing the ETH’s low price by buPriceHigh
    • Then we multiply again by buPriceLow

(there’s also some duplication within the basketRange() but that function isn’t in scope, what is is scope is the additional margin of error when multiplying by buPriceLow).

Recommended Mitigation Steps

I think the best way to mitigate this would be to use a dedicated function to estimate the price, I don’t see an easy way to fix this while using the existing functions.

Assessed type

Other

The text was updated successfully, but these errors were encountered:

All reactions

6.9 Medium

AI Score

Confidence

Low

JSON