Platform: Code4rena
Start Date: 21/08/2023
Pot Size: $125,000 USDC
Total HM: 26
Participants: 189
Period: 16 days
Judge: GalloDaSballo
Total Solo HM: 3
Id: 278
League: ETH
Rank: 178/189
Findings: 1
Award: $0.01
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: klau5
Also found by: 0x3b, 0xCiphky, 0xDING99YA, 0xWaitress, 0xbranded, 0xc0ffEE, 0xklh, 0xsurena, 0xvj, ABA, AkshaySrivastav, Anirruth, Aymen0909, Baki, Blockian, BugzyVonBuggernaut, DanielArmstrong, Evo, GangsOfBrahmin, HChang26, Inspex, Jiamin, Juntao, Kow, Krace, KrisApostolov, LFGSecurity, LokiThe5th, Mike_Bello90, Norah, Nyx, QiuhaoLi, RED-LOTUS-REACH, SBSecurity, Snow24, SpicyMeatball, T1MOH, Tendency, Toshii, Udsen, Yanchuan, __141345__, ak1, asui, auditsea, ayden, bart1e, bin2chen, blutorque, carrotsmuggler, chaduke, chainsnake, circlelooper, clash, codegpt, crunch, degensec, dirk_y, ge6a, gjaldon, grearlake, jasonxiale, juancito, ke1caM, kodyvim, kutugu, ladboy233, lanrebayode77, mahdikarimi, max10afternoon, mert_eren, nirlin, nobody2018, oakcobalt, parsely, peakbolt, pks_, pontifex, ravikiranweb3, rokinot, rvierdiiev, said, savi0ur, sces60107, sh1v, sl1, spidy730, tapir, tnquanghuy0512, ubermensch, visualbits, volodya, wintermute
0.0098 USDC - $0.01
settle functions to revert consistentlyVulnerable Contract PerpetualAtlanticVaultLP.sol
A malicious user can manipulate the subtractLoss function to revert consistently, thereby locking down dependent operations, such as the settle functions in both RdpxV2Core and PerpetualAtlanticVaultLP.
The function subtractLoss is outlined below: subtractLoss:
function subtractLoss(uint256 loss) public onlyPerpVault { require( collateral.balanceOf(address(this)) == _totalCollateral - loss, // 1 "Not enough collateral was sent out" ); _totalCollateral -= loss; }
A malicious user can transfer an arbitrary amount of the collateral token into the PerpetualAtlanticVaultLP contract. This action would cause the require statement (marked as Comment 1) to consistently fail. The failure happens due to a discrepancy between the actual contract balance and the internal state variable _totalCollateral. When a user transfers tokens into the contract, _totalCollateral remains unaltered, causing the mismatch.
As a result of this vulnerability, no settle functions could be successfully invoked across the entire system, leading to a complete breakdown of the project's functionality.
To confirm this flaw, insert the following line into the testSettle test
weth.mint(address(vaultLp), 1); // simulate someone sending collateral (weth is the collateral in the tests) token to the vault, we can also actually send some weth but this is the simplest method to verify it in the tests
Alternatively, you can introduce the following test into Unit.t.sol
function testSettleFailed() public { weth.mint(address(1), 1 ether); weth.mint(address(vaultLp), 1); // simulate someone sending collateral token to the vault deposit(1 ether, address(1)); vault.purchase(1 ether, address(this)); uint256[] memory ids = new uint256[](1); ids[0] = 0; skip(86500); // expire priceOracle.updateRdpxPrice(0.010 gwei); // ITM vault.settle(ids); // this function will revert, if we comment `weth.mint(address(vaultLp), 1);` it will pass }
Static code analysis was used.
collateral.balanceOf(address(this)) >= _totalCollateral - loss.Token-Transfer
#0 - c4-pre-sort
2023-09-09T09:53:44Z
bytes032 marked the issue as duplicate of #619
#1 - c4-pre-sort
2023-09-11T16:14:15Z
bytes032 marked the issue as sufficient quality report
#2 - c4-judge
2023-10-20T19:29:10Z
GalloDaSballo marked the issue as satisfactory