Malicious uses can prevente other users from issuing new RTokens by continuously issue and cancel RToken #367
Description
Lines of code
https://github.com/reserve-protocol/protocol/blob/df7ecadc2bae74244ace5e8b39e94bc992903158/contracts/p1/RToken.sol#L186
https://github.com/reserve-protocol/protocol/blob/df7ecadc2bae74244ace5e8b39e94bc992903158/contracts/p1/RToken.sol#L406-L418
Vulnerability details
Impact
The RToken issuance will not work, i.e users will not be able to mint new RTokens.
Proof of Concept
The issuing time of RToken is determined by RToken#allVestAt and issue amount.
Every issuance will increase the allVestAt, which will make later issuances to have a bigger issuing time.
Therefore, a malicious user can rapidly increase the allVestAt by issuing large issues, which makes all subsequent users have to wait a long time to issue.
Originally, this wouldn't be a big deal, because it requires the malicious user to pledge all the assets to the protocol.
But, RToken also has a RToken#cancel() function which allows a user to cancel his pending issuances in the issueQueues at any time without any cost.
Using this, the malicious user can extend the issuance period for all subsequent users quickly and costless by iteratively calling issue() and cancel().
Also because it is costless for calling cancel(), flashloan can be used to improve the efficiency of the attack.
Tools Used
Manual
Recommended Mitigation Steps
We can set a wait time for the cancel operation, that larger issuance will need wait more time to cancel.