Omniscia rain protocol Audit
ERC20Redeem Manual Review Findings
ERC20Redeem Manual Review Findings
ERR-01M: Potentially Unfair Redemptions of Rebasing Assets
| Type | Severity | Location |
|---|---|---|
| Logical Fault |  | ERC20Redeem.sol:L86-L89 |
Description:
The ERC20Redeem contract should be specified as incompatible with rebasing currencies as the way the loop iteration of payouts works in the _redeem function permits a malicious user to introduce a token that invokes the rebase operation of the currency after the proportions have been calculated which would yield a disproportionate transfer to the user.
Example:
contracts/erc20/ERC20Redeem.sol
58// Calculate everything before any balances change.59uint256[] memory amounts_ = new uint256[](assetsLength_);60
61// The fraction of the assets we release is the fraction of the62// outstanding total supply of the redeemable being burned.63// Every treasury asset is released in the same proportion.64// Guard against no asset redemptions and log all events before we65// change any contract state or call external contracts.66require(assetsLength_ > 0, "EMPTY_ASSETS");67uint256 supply_ = IERC20(address(this)).totalSupply();68uint256 amount_ = 0;69for (uint256 i_ = 0; i_ < assetsLength_; i_++) {70 amount_ =71 (treasuryAssets_[i_].balanceOf(address(this)) * redeemAmount_) /72 supply_;73 require(amount_ > 0, "ZERO_AMOUNT");74 emit Redeem(75 msg.sender,76 address(treasuryAssets_[i_]),77 redeemAmount_,78 amount_79 );80 amounts_[i_] = amount_;81}82
83// Burn FIRST (reentrancy safety).84_burn(msg.sender, redeemAmount_);85
86// THEN send all assets.87for (uint256 i_ = 0; i_ < assetsLength_; i_++) {88 treasuryAssets_[i_].safeTransfer(msg.sender, amounts_[i_]);89}Recommendation:
We advise this to be clearly stated in the documentation as it can become a treasury risk if the contract is utilized with rebasing currencies.
Alleviation:
The documentation of the _redeem function was adequately updated to reflect that the contract is compatible with "vanilla" ERC-20 tokens and would fail with rebasing etc. assets thereby alleviating this exhibit in full.