Back to DanielArmstrong's contests

Dopex - DanielArmstrong's results

A rebate system for option writers in the Dopex Protocol.

General Information

Platform: Code4rena

Start Date: 21/08/2023

Pot Size: $125,000 USDC

Total HM: 26

Participants: 189

Period: 16 days

Judge: GalloDaSballo

Total Solo HM: 3

Id: 278

League: ETH

Dopex

Findings Distribution

Researcher Performance

Rank: 173/189

Findings: 1

Award: $0.01

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryDopex

Findings Information

🌟 Selected for report: klau5

Also found by: 0x3b, 0xCiphky, 0xDING99YA, 0xWaitress, 0xbranded, 0xc0ffEE, 0xklh, 0xsurena, 0xvj, ABA, AkshaySrivastav, Anirruth, Aymen0909, Baki, Blockian, BugzyVonBuggernaut, DanielArmstrong, Evo, GangsOfBrahmin, HChang26, Inspex, Jiamin, Juntao, Kow, Krace, KrisApostolov, LFGSecurity, LokiThe5th, Mike_Bello90, Norah, Nyx, QiuhaoLi, RED-LOTUS-REACH, SBSecurity, Snow24, SpicyMeatball, T1MOH, Tendency, Toshii, Udsen, Yanchuan, __141345__, ak1, asui, auditsea, ayden, bart1e, bin2chen, blutorque, carrotsmuggler, chaduke, chainsnake, circlelooper, clash, codegpt, crunch, degensec, dirk_y, ge6a, gjaldon, grearlake, jasonxiale, juancito, ke1caM, kodyvim, kutugu, ladboy233, lanrebayode77, mahdikarimi, max10afternoon, mert_eren, nirlin, nobody2018, oakcobalt, parsely, peakbolt, pks_, pontifex, ravikiranweb3, rokinot, rvierdiiev, said, savi0ur, sces60107, sh1v, sl1, spidy730, tapir, tnquanghuy0512, ubermensch, visualbits, volodya, wintermute

Awards

0.0098 USDC - $0.01

Labels

bug
3 (High Risk)
satisfactory
sufficient quality report
duplicate-1227

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L201

Vulnerability details

Impact

PerpetualAtlanticVault can not be settled forever.

Proof of Concept

When an attacker transfers few amount of collateral token to PerpetualAtlanticVaultLP, the function - 'PerpetualAtlanticVaultLP.sol#substractLoss' is always reverted because real balance is different from the value - _totalCollateral.

PerpetualAtlanticVaultLP.sol#substractLoss is following.

File: PerpetualAtlanticVaultLP.sol
199:   function subtractLoss(uint256 loss) public onlyPerpVault {
200:     require(
201:       collateral.balanceOf(address(this)) == _totalCollateral - loss,
202:       "Not enough collateral was sent out"
203:     );
204:     _totalCollateral -= loss;
205:   }

In L201, the equation collateral.balanceOf(address(this)) == _totalCollateral - loss is based on the assumption in which collateral.balanceof(address(this)) is always synced with _totalCollateral.

But an attacker transfers few amount of collateral token to PerpetualAtlanticVaultLP contract, this assumption becomes wrong.

Then, this function is always reverted.

On the other hand, the function - PerpetualAtlanticVault.sol#settle calls this function - PerpetualAtlanticVaultLP.sol#substractLoss.

So, in this case, function - PerpetualAtlanticVault.sol#settle is always reverted.

Tools Used

Manual Review

File: PerpetualAtlanticVaultLP.sol
199:   function subtractLoss(uint256 loss) public onlyPerpVault {
200:     require(
201: -     collateral.balanceOf(address(this)) == _totalCollateral - loss,
201: +     collateral.balanceOf(address(this)) >= _totalCollateral - loss,
202:       "Not enough collateral was sent out"
203:     );
204:     _totalCollateral -= loss;
205:   }

Assessed type

DoS

#0 - c4-pre-sort

2023-09-09T09:54:34Z

bytes032 marked the issue as duplicate of #619

#1 - c4-pre-sort

2023-09-11T16:14:22Z

bytes032 marked the issue as sufficient quality report

#2 - c4-judge

2023-10-21T07:16:17Z

GalloDaSballo marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter