M-02 MitigationConfirmed #3
Labels
confirmed for report
This issue is confirmed for report
mitigation-confirmed
MR-M-02
satisfactory
satisfies C4 submission criteria; eligible for awards
Lines of code
Vulnerability details
See:
Navigating to M-02 from the previous contest we can see that there is a vulnerability/wrong assumption in the
seizeRSR
function, i.e by manipulating staking and unstaking actions we can get to a situation where the contract is unable to seize RSR due to a division by zero error. This occurs due to broken assumptions aboutstakeRSR
andtotalStakes
, allowing a scenario wheretotalStakes
becomes zero whilestakeRSR
remains non-zero. The issue can be triggered through a specific sequence of actions involving unstaking, manipulating stake rates, and front-running seizeRSR calls, as shown in the updated POC here. Now the recommended mitigation includes enforcing an invariant that iftotalStakes
is zero, thenstakeRSR
must also be zero by not accepting0
amount mints, alternatively Reserve could consider updating to update thestakeRate
only if bothstakeRSR
andtotalStakes
are non-zero or update the stakeRate to FIX_ONE if either of these two is zero. This has been sufficiently mitigated in the pull request used to solve this, considering Reserve now updatesstakeRate
only if bothstakeRSR
andtotalStakes
are non-zero i.e:The text was updated successfully, but these errors were encountered: