Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The net issuance or net redemption may exceeds the per hour limit. #153

Open
c4-bot-5 opened this issue Aug 19, 2024 · 0 comments
Open

The net issuance or net redemption may exceeds the per hour limit. #153

c4-bot-5 opened this issue Aug 19, 2024 · 0 comments
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working 🤖_52_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality

Comments

@c4-bot-5
Copy link
Contributor

Lines of code

https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/libraries/Throttle.sol#L69-L77

Vulnerability details

Impact

When calculating the current available amount of RToken in ThrottleLib.currentlyAvailable, the last available amount (i.e. throttle.lastAvailable in L75) is also included, which may exceed the hourly limit in some cases.

69:    function currentlyAvailable(Throttle storage throttle, uint256 limit)
70:        internal
71:        view
72:        returns (uint256 available)
73:    {
74:        uint48 delta = uint48(block.timestamp) - throttle.lastTimestamp; // {seconds}
75:@>      available = throttle.lastAvailable + (limit * delta) / ONE_HOUR;
76:        if (available > limit) available = limit;
77:    }

https://github.com/code-423n4/2024-07-reserve/blob/main/contracts/libraries/Throttle.sol#L69-L77

Proof of Concept

We assume that the max hourly limit of net issuance or net redemption for an RToken is 3600 units. At any time, the value of throttle.lastAvailable may range from 0 to 3600 units.

  1. At T - 300 seconds, some user issues some RTokens, and the resulted throttle.lastAvailable is 200 units.
  2. At T + 3000 seconds, some user issues 3500 units of RToken. The elapsed time since the last issuance is 3300 seconds. So currently available amount is throttle.lastAvailable + (limit * delta) / ONE_HOUR = 200 + (3600 * 3300 / ONE_HOUR) = 3500 units, and the new throttle.lastAvailable is 0 after the issuance.
  3. At T + 3600 seconds, someone issues 600 units of RToken. The elapsed time since the last issuance is 600 seconds. So currently available amount is throttle.lastAvailable + (limit * delta) / ONE_HOUR = 0 + (3600 * 600 / ONE_HOUR) = 600 units, and the new throttle.lastAvailable is 0 after the issuance.

We can see that within the hour from T to T + 3600 seconds, the total number of units issued is 3500 + 600 = 4100 units, which exceeds the maximum limit of 3600 units per hour.

Tools Used

VS Code

Recommended Mitigation Steps

Record lastUsed in struct Throttle, and subtract the lastUsed when calculating the currently available amount.

    struct Throttle {
        // === Gov params ===
        Params params;
        // === Cache ===
        uint48 lastTimestamp; // {seconds}
        uint256 lastAvailable; // {qRTok}
+       uint256 lastUsed;
    }

    function useAvailable(
        Throttle storage throttle,
        uint256 supply,
        int256 amount
    ) internal {
        ...
        throttle.lastAvailable = available;
+       throttle.lastUsed = amount;
    }

    function currentlyAvailable(Throttle storage throttle, uint256 limit)
        internal
        view
        returns (uint256 available)
    {
        uint48 delta = uint48(block.timestamp) - throttle.lastTimestamp; // {seconds}
        available = throttle.lastAvailable + (limit * delta) / ONE_HOUR;
        if (available > limit) available = limit;
+       uint256 lastUsed = delta >= ONE_HOUR ? 0 : throttle.lastUsed;
+       available -= lastUsed;
    }

Assessed type

Math
@c4-bot-5 c4-bot-5 added 2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working labels Aug 19, 2024
c4-bot-10 added a commit that referenced this issue Aug 19, 2024
@c4-bot-10
leegh issue #153
9ee7d7a
@c4-bot-12 c4-bot-12 added the 🤖_52_group AI based duplicate group recommendation label Aug 19, 2024
howlbot-integration bot added a commit that referenced this issue Aug 20, 2024
@howlbot-integration
leegh update issue #153
bb59f87
@howlbot-integration howlbot-integration bot added the sufficient quality report This report is of sufficient quality label Aug 20, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2 (Med Risk) Assets not at direct risk, but function/availability of the protocol could be impacted or leak value bug Something isn't working 🤖_52_group AI based duplicate group recommendation sufficient quality report This report is of sufficient quality
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@c4-bot-5 @c4-bot-12