Committed: November 19, 2022
Root DAO Multisig (RDM)
Per the process outlined in the RDM Emergency Response Procedures, the RDM can take swift action to protect Root in the event of a bug or security vulnerability.
This bug was reported by a whitehat on Immunefi.
According to Section 3.3 of the Root whitepaper, the amount of Roots to be Redeemed from a set of Deposits is derived from the maximum percentage change in the BDV, Stalk and Seeds of Root as a result of the Redemption.
However, in the Root code, the Roots to Redeem used the mininum instead of the maximum which allowed the user to receive more Bean Deposits than they were supposed to when Redeeming.
In total it is estimated that an additional ~226 Beans were Redeemed across 12 transactions.
Update the _transferDeposits() function to subtract the minimum amount remaining from the supply in
accordance with Section 3.3 of the Root whitepaper.
Because subtraction occurs in the _transferDeposits() function, subtracting the maximum amount
remaining from the supply resulted in the minimum of the change in BDV, Stalk and Seeds per Root required to Redeem
being used instead of the maximum.
The fix has been sent to Halborn.
The following callable functions are modified in Root:
| Name | Selector |
|---|---|
redeem(...) |
0x048f0869 |
Effective immediately upon commit by the RDM, which has already happened.