Platform: Code4rena
Start Date: 21/08/2023
Pot Size: $125,000 USDC
Total HM: 26
Participants: 189
Period: 16 days
Judge: GalloDaSballo
Total Solo HM: 3
Id: 278
League: ETH
Rank: 139/189
Findings: 2
Award: $15.94
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: klau5
Also found by: 0x3b, 0xCiphky, 0xDING99YA, 0xWaitress, 0xbranded, 0xc0ffEE, 0xklh, 0xsurena, 0xvj, ABA, AkshaySrivastav, Anirruth, Aymen0909, Baki, Blockian, BugzyVonBuggernaut, DanielArmstrong, Evo, GangsOfBrahmin, HChang26, Inspex, Jiamin, Juntao, Kow, Krace, KrisApostolov, LFGSecurity, LokiThe5th, Mike_Bello90, Norah, Nyx, QiuhaoLi, RED-LOTUS-REACH, SBSecurity, Snow24, SpicyMeatball, T1MOH, Tendency, Toshii, Udsen, Yanchuan, __141345__, ak1, asui, auditsea, ayden, bart1e, bin2chen, blutorque, carrotsmuggler, chaduke, chainsnake, circlelooper, clash, codegpt, crunch, degensec, dirk_y, ge6a, gjaldon, grearlake, jasonxiale, juancito, ke1caM, kodyvim, kutugu, ladboy233, lanrebayode77, mahdikarimi, max10afternoon, mert_eren, nirlin, nobody2018, oakcobalt, parsely, peakbolt, pks_, pontifex, ravikiranweb3, rokinot, rvierdiiev, said, savi0ur, sces60107, sh1v, sl1, spidy730, tapir, tnquanghuy0512, ubermensch, visualbits, volodya, wintermute
0.0098 USDC - $0.01
https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L359 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L201
subtractLoss, which is called in the perpetualAtlanticVault when settling options, requires that the balance of the lp is equal to the collateral - loss. However, if anyone makes a donation attack of even 1 wei, this condition will not be true, leading to this condition always being true.
As a result of options not being settled, they will be worthless in terms of collateralization as they cannot ever be exercised.
Assume the balance of the lp is 100e18, collateral is 101e18 and loss is 1e18. An attacker sends 1 wei of collateral to the lp so that the balance is now 100e18 + 1. When the option is settled, now balance != colalteral - loss so the require statement fails and the option is not settled.
Manual review.
Change the condition to collateral.balanceOf(address(this)) >= _totalCollateral - loss
DoS
#0 - c4-pre-sort
2023-09-09T09:53:50Z
bytes032 marked the issue as duplicate of #619
#1 - c4-pre-sort
2023-09-11T16:14:16Z
bytes032 marked the issue as sufficient quality report
#2 - c4-judge
2023-10-21T07:15:02Z
GalloDaSballo marked the issue as satisfactory
🌟 Selected for report: 0xTheC0der
Also found by: 0Kage, 0xDING99YA, 0xHelium, 0xbranded, 836541, ABA, Kow, QiuhaoLi, SpicyMeatball, T1MOH, __141345__, alexfilippov314, ayden, bart1e, bin2chen, chaduke, degensec, jasonxiale, joaovwfreire, nirlin, peakbolt, pep7siup, rvierdiiev, tnquanghuy0512
15.9268 USDC - $15.93
https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L563 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L462
If duration decreases, then fundingPointer goes up repeatedly in updateFundingPaymentPointer which involves a lot of gas heavy computations such as transfer and external contract calls. Thus the function can revert due to OOG, causing all functionality to fail including purchase and settle.
If duration increases, then fundingPointer stays the same and nextFundingTimestamp goes up as it is proportional to duration. As a result, funding calculations cause premiums to go up since time to expiry must also increase, and if the increase is too large then DoS can result due to not having enough tokens.
The more time that has passed since genesis (the larger the fundingPaymentPointer), the greater the risks associated with changing the duration.
Duration is currently 7 days and updated to 1 day. The fundingPaymentPointer was originally 10. It must now be updated to 70. 60 iterations of the while loop occur, which causes OOG due to repeated transfer and external function calls.
Duration is currently 1 day and updated to 7 days. The fundingPaymentPointer was originally 10 and stays at 10. But now when calculating funding, the time passed is 7 times what it originally was and so 6 times the total amount of funding ever paid is due at once, leading to likely DoS due to not having enough tokens or at least extremely high premiums
Manual review
Do not allow changes in duration, and if it is changed, ensure it is within some legal bounds
DoS
#0 - c4-pre-sort
2023-09-09T03:56:14Z
bytes032 marked the issue as duplicate of #980
#1 - c4-pre-sort
2023-09-11T08:23:41Z
bytes032 marked the issue as sufficient quality report
#2 - c4-judge
2023-10-20T11:09:32Z
GalloDaSballo changed the severity to 2 (Med Risk)
#3 - c4-judge
2023-10-20T11:12:08Z
GalloDaSballo marked the issue as satisfactory