C4 #29 (#885)

contracts/p0/Furnace.sol

@@ -58,8 +58,14 @@ contract FurnaceP0 is ComponentP0, IFurnace {
     /// Ratio setting
     /// @custom:governance
     function setRatio(uint192 ratio_) public governance {
-        // solhint-disable-next-line no-empty-blocks
-        try this.melt() {} catch {}
+        if (lastPayout > 0) {
+            // solhint-disable-next-line no-empty-blocks
+            try this.melt() {} catch {
+                uint48 numPeriods = uint48((block.timestamp) - lastPayout) / PERIOD;
+                lastPayout += numPeriods * PERIOD;
+                lastPayoutBal = main.rToken().balanceOf(address(this));
+            }
+        }
         require(ratio_ <= MAX_RATIO, "invalid ratio");
         // The ratio can safely be set to 0, though it is not recommended
         emit RatioSet(ratio, ratio_);

contracts/p1/Furnace.sol

@@ -90,8 +90,14 @@ contract FurnaceP1 is ComponentP1, IFurnace {
     /// Ratio setting
     /// @custom:governance
     function setRatio(uint192 ratio_) public governance {
-        // solhint-disable-next-line no-empty-blocks
-        if (lastPayout > 0) try this.melt() {} catch {}
+        if (lastPayout > 0) {
+            // solhint-disable-next-line no-empty-blocks
+            try this.melt() {} catch {
+                uint48 numPeriods = uint48((block.timestamp) - lastPayout) / PERIOD;
+                lastPayout += numPeriods * PERIOD;
+                lastPayoutBal = rToken.balanceOf(address(this));
+            }
+        }
         require(ratio_ <= MAX_RATIO, "invalid ratio");
         // The ratio can safely be set to 0 to turn off payouts, though it is not recommended
         emit RatioSet(ratio, ratio_);

test/Furnace.test.ts

@@ -446,6 +446,45 @@ describe(`FurnaceP${IMPLEMENTATION} contract`, () => {
 
       expect(diff).to.be.lte(expectedDiff)
     })
+
+    it('Regression test -- C4 June 2023 Issue #29', async () => {
+      // https://github.com/code-423n4/2023-06-reserve-findings/issues/29
+
+      // Transfer to Furnace and do first melt
+      await rToken.connect(addr1).transfer(furnace.address, bn('10e18'))
+      await setNextBlockTimestamp(Number(await getLatestBlockTimestamp()) + Number(ONE_PERIOD))
+      await furnace.melt()
+
+      // Should have updated lastPayout + lastPayoutBal
+      expect(await furnace.lastPayout()).to.be.closeTo(await getLatestBlockTimestamp(), 12)
+      expect(await furnace.lastPayout()).to.be.lte(await getLatestBlockTimestamp())
+      expect(await furnace.lastPayoutBal()).to.equal(bn('10e18'))
+
+      // Advance 99 periods -- should melt at old ratio
+      await setNextBlockTimestamp(Number(await getLatestBlockTimestamp()) + 99 * Number(ONE_PERIOD))
+
+      // Freeze and change ratio
+      await main.connect(owner).freezeForever()
+      const maxRatio = bn('1e14')
+      await expect(furnace.connect(owner).setRatio(maxRatio))
+        .to.emit(furnace, 'RatioSet')
+        .withArgs(config.rewardRatio, maxRatio)
+
+      // Should have updated lastPayout + lastPayoutBal
+      expect(await furnace.lastPayout()).to.be.closeTo(await getLatestBlockTimestamp(), 12)
+      expect(await furnace.lastPayout()).to.be.lte(await getLatestBlockTimestamp())
+      expect(await furnace.lastPayoutBal()).to.equal(bn('10e18')) // no change
+
+      // Unfreeze and advance 1 period
+      await main.connect(owner).unfreeze()
+      await setNextBlockTimestamp(Number(await getLatestBlockTimestamp()) + Number(ONE_PERIOD))
+      await expect(furnace.melt()).to.emit(rToken, 'Melted')
+
+      // Should have updated lastPayout + lastPayoutBal
+      expect(await furnace.lastPayout()).to.be.closeTo(await getLatestBlockTimestamp(), 12)
+      expect(await furnace.lastPayout()).to.be.lte(await getLatestBlockTimestamp())
+      expect(await furnace.lastPayoutBal()).to.equal(bn('9.999e18'))
+    })
   })
 
   describeExtreme('Extreme Bounds', () => {