Back to IceBear's contests

Dopex - IceBear's results

A rebate system for option writers in the Dopex Protocol.

General Information

Platform: Code4rena

Start Date: 21/08/2023

Pot Size: $125,000 USDC

Total HM: 26

Participants: 189

Period: 16 days

Judge: GalloDaSballo

Total Solo HM: 3

Id: 278

League: ETH

Dopex

Findings Distribution

Researcher Performance

Rank: 116/189

Findings: 2

Award: $42.29

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryDopex

Findings Information

🌟 Selected for report: 0xWagmi

Also found by: 836541, Bauchibred, GangsOfBrahmin, Hama, IceBear, Inspecktor, Matin, MohammedRizwan, catellatech, erebus, lsaudit, niki, okolicodes, ravikiranweb3, tapir, vangrim, zaevlad

Awards

23.1243 USDC - $23.12

Labels

bug
2 (Med Risk)
partial-50
sufficient quality report
edited-by-warden
duplicate-863

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L274

Vulnerability details

Impact

The first depositor of an ERC4626 vault can maliciously manipulate the share price by depositing the lowest possible amount (1 wei) of liquidity and then artificially inflating totalVaultCollateral.

share price can be maliciously inflated on the initial deposit, leading to the next depositor losing assets due to precision issues.

Proof of Concept

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L274

Tools Used

Consider requiring a minimal initial deposit amount in a vault.

Assessed type

ERC4626

#0 - c4-pre-sort

2023-09-07T13:33:48Z

bytes032 marked the issue as duplicate of #863

#1 - c4-pre-sort

2023-09-11T09:10:50Z

bytes032 marked the issue as sufficient quality report

#2 - c4-judge

2023-10-18T12:52:01Z

GalloDaSballo marked the issue as partial-50

#3 - GalloDaSballo

2023-10-18T12:52:14Z

Low quality

Findings Information

🌟 Selected for report: juancito

Also found by: 0xDING99YA, 0xTiwa, 0xkazim, 0xnev, ABA, ArmedGoose, Aymen0909, Bauchibred, Evo, IceBear, KrisApostolov, MohammedRizwan, Nikki, QiuhaoLi, T1MOH, Toshii, WoolCentaur, Yanchuan, __141345__, asui, bart1e, carrotsmuggler, catellatech, chaduke, codegpt, deadrxsezzz, degensec, dethera, dirk_y, erebus, ether_sky, gjaldon, glcanvas, jasonxiale, josephdara, klau5, kodyvim, ladboy233, lsaudit, minhquanym, parsely, peakbolt, pep7siup, rvierdiiev, said, savi0ur, sces60107, tapir, ubermensch, volodya, zzebra83

Awards

19.1724 USDC - $19.17

Labels

bug
downgraded by judge
grade-b
low quality report
QA (Quality Assurance)
Q-39

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/decaying-bonds/RdpxDecayingBonds.sol#L61-L62

Vulnerability details

Impact

This function is deprecated in favor of {_grantRole}. Ref: https://docs.openzeppelin.com/contracts/4.x/api/access#AccessControl-_setupRole-bytes32-address- https://github.com/OpenZeppelin/openzeppelin-contracts/issues/3918 https://github.com/OpenZeppelin/openzeppelin-contracts/blob/c1d9da4052a75232dca1fafac80c4a2cb82fe518/contracts/access/AccessControl.sol#L203

Proof of Concept

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/decaying-bonds/RdpxDecayingBonds.sol#L61-L62

Tools Used

use _grantRole instead

Assessed type

Library

#0 - bytes032

2023-09-13T13:09:30Z

Over inflated

#1 - c4-pre-sort

2023-09-13T13:09:35Z

bytes032 marked the issue as low quality report

#2 - c4-judge

2023-10-08T18:23:34Z

GalloDaSballo changed the severity to QA (Quality Assurance)

#3 - c4-judge

2023-10-20T18:18:08Z

GalloDaSballo marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter