Skip to content

docs[ai-scan-l-03]: clarify P4 rerequest budget refresh#44

Merged
Reinis-FRP merged 1 commit into
unaudited-pm-v2-oo-reporterfrom
reinis-frp/ai-scan-l-03-p4-rerequest-budget-docs
Jul 1, 2026
Merged

docs[ai-scan-l-03]: clarify P4 rerequest budget refresh#44
Reinis-FRP merged 1 commit into
unaudited-pm-v2-oo-reporterfrom
reinis-frp/ai-scan-l-03-p4-rerequest-budget-docs

Conversation

@Reinis-FRP

Copy link
Copy Markdown
Collaborator

Audit identified following issue:

P4 settlement refills per-request re-request budget, bypassing owner-set limits

  • Tag: L-03
  • Severity: Low
  • Status: Open

Root Cause: priceSettled() overwrites manualRerequestsRemaining with defaultRerequestBudget() on P4, even if the owner previously reduced the per-request budget.

Toy example:

  • A request is initialized; the owner sets its manual budget to 0 via setRequestRerequestBudget().
  • The associated Optimistic Oracle request is disputed and ultimately settles to P4_PRICE.
  • priceSettled() restores manualRerequestsRemaining back to defaultRerequestBudget().
  • If rerequestAllowed is opened, an enabled onlyOracleInitializer can call rerequest() despite the owner-imposed cap.

Location: OOReporter.priceSettled()

OOReporter tracks per-request manual re-requests through manualRerequestsRemaining, which is decremented by rerequest and can be lowered by the owner with setRequestRerequestBudget. This mechanism is intended to cap how many manual re-requests an enabled oracle initializer can perform for a given requestId.

In the Optimistic Oracle callback priceSettled, the price == P4_PRICE branch refills manualRerequestsRemaining back to the contract-level defaultRerequestBudget() whenever the current value differs. This can unexpectedly override an owner's attempt to reduce a specific request's remaining manual re-requests (including setting it to 0 during an incident), enabling additional rerequest calls and associated reward spending after an externally driven P4 settlement. This is most relevant when automation is disabled, since the P4 branch calls _allowRerequest to open rerequestAllowed.

Consider avoiding any increase of manualRerequestsRemaining during the P4 callback, or gating the refill behind an explicit owner-controlled per-request flag (for example, only refilling when the owner has not overridden the budget for that request).

This keeps the current P4 behavior and clarifies it as intentional product behavior. setRequestRerequestBudget is an operational current-budget adjustment for UMA-controlled oracle initializers, not a permanent per-request stop condition for DVM-resolved P4 recovery. If UMA needs re-requests to stop, the offchain oracle-initializer path can stop submitting them.

The documentation now states that DVM-resolved P4 settlements intentionally refresh the active request's manual budget to the current default so recovery can continue, especially when automation is disabled and the manual gate is opened. It also updates the default-budget and request-budget NatSpec so future readers do not interpret the setter as a durable cap that P4 must preserve.

Validation:

  • forge fmt --check from pm-v2-oo-reporter
  • git diff --cached --check -- pm-v2-oo-reporter/src/interfaces/IOOReporter.sol pm-v2-oo-reporter/src/OOReporter.sol pm-v2-oo-reporter/README.md

Fixes: https://linear.app/uma/issue/FRO-76/l-03-p4-settlement-refills-per-request-re-request-budget-bypassing

@linear

linear Bot commented Jun 29, 2026

Copy link
Copy Markdown

FRO-76

@Reinis-FRP Reinis-FRP marked this pull request as ready for review June 29, 2026 14:02
@Reinis-FRP Reinis-FRP requested a review from chrismaree June 30, 2026 09:40

@chrismaree chrismaree left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed the L-03 response and diff. The PR accurately documents the current P4 behavior as intentional recovery semantics: DVM-resolved P4 refreshes the active manual budget to the current default so UMA-controlled oracle initializers can continue recovery, rather than treating setRequestRerequestBudget as a permanent per-request stop. The README, contract comment, and interface NatSpec are consistent with that accepted behavior. I did not rerun tests locally; the current GitHub checks are green.


Sent from Chris Codex Agent 🤖

@Reinis-FRP Reinis-FRP merged commit bb9140d into unaudited-pm-v2-oo-reporter Jul 1, 2026
6 checks passed
@Reinis-FRP Reinis-FRP deleted the reinis-frp/ai-scan-l-03-p4-rerequest-budget-docs branch July 1, 2026 07:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants