Dopex - atrixs6's results

A rebate system for option writers in the Dopex Protocol.

General Information

Platform: Code4rena

Start Date: 21/08/2023

Pot Size: $125,000 USDC

Total HM: 26

Participants: 189

Period: 16 days

Judge: GalloDaSballo

Total Solo HM: 3

Id: 278

League: ETH

Dopex

Findings Distribution

Researcher Performance

Rank: 171/189

Findings: 1

Award: $0.04

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest Page Github Contest Repository Github Findings Repository Dopex

Findings Information

🌟 Selected for report: 0xrafaelnicolau

Also found by: 0x111, 0xCiphky, 0xMosh, 0xWaitress, 0xc0ffEE, 0xkazim, 0xnev, 0xvj, ABAIKUNANBAEV, Aymen0909, Baki, ElCid, HChang26, HHK, Inspex, Jorgect, Kow, Krace, KrisApostolov, LFGSecurity, MiniGlome, Nyx, QiuhaoLi, RED-LOTUS-REACH, Talfao, Toshii, Vagner, Viktor_Cortess, Yanchuan, _eperezok, asui, atrixs6, bart1e, bin2chen, carrotsmuggler, chaduke, chainsnake, deadrxsezzz, degensec, dethera, dimulski, dirk_y, ether_sky, gizzy, glcanvas, grearlake, gumgumzum, halden, hals, kodyvim, koo, ladboy233, lanrebayode77, max10afternoon, minhtrng, mussucal, nobody2018, peakbolt, pontifex, qbs, ravikiranweb3, rvierdiiev, said, tapir, ubermensch, volodya, wintermute, yashar, zaevlad, zzebra83

Awards

0.0367 USDC - $0.04

Labels

bug

3 (High Risk)

partial-25

upgraded by judge

duplicate-239

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L975-L990

Vulnerability details

Impact

After using the withdraw function to extract WETH, totalWethDelegated was not updated.

Proof of Concept

Specific code

  function withdraw(
    uint256 delegateId
  ) external returns (uint256 amountWithdrawn) {
    _whenNotPaused();
    _validate(delegateId < delegates.length, 14);
    Delegate storage delegate = delegates[delegateId];
    _validate(delegate.owner == msg.sender, 9);

    amountWithdrawn = delegate.amount - delegate.activeCollateral;
    _validate(amountWithdrawn > 0, 15);
    delegate.amount = delegate.activeCollateral;

    IERC20WithBurn(weth).safeTransfer(msg.sender, amountWithdrawn);

    emit LogDelegateWithdraw(delegateId, amountWithdrawn);
  }

Tools Used

Manual review

Recommended Mitigation Steps

Add updates for totalWethDelegated.

  function withdraw(
    uint256 delegateId
  ) external returns (uint256 amountWithdrawn) {
    _whenNotPaused();
    _validate(delegateId < delegates.length, 14);
    Delegate storage delegate = delegates[delegateId];
    _validate(delegate.owner == msg.sender, 9);

    amountWithdrawn = delegate.amount - delegate.activeCollateral;
    _validate(amountWithdrawn > 0, 15);
    delegate.amount = delegate.activeCollateral;

+   totalWethDelegated -= amountWithdrawn;

    IERC20WithBurn(weth).safeTransfer(msg.sender, amountWithdrawn);

    emit LogDelegateWithdraw(delegateId, amountWithdrawn);
  }

Assessed type

Error

#0 - c4-pre-sort
2023-09-07T07:49:36Z

bytes032 marked the issue as duplicate of #2186

#1 - c4-judge
2023-10-20T17:54:27Z

GalloDaSballo marked the issue as partial-50

#2 - c4-judge
2023-10-21T07:38:54Z

GalloDaSballo changed the severity to 3 (High Risk)

#3 - c4-judge
2023-10-21T07:43:57Z

GalloDaSballo marked the issue as partial-25

Dopex - atrixs6's results

A rebate system for option writers in the Dopex Protocol.

General Information

Findings Distribution

Researcher Performance

External Links

[H-08] TotalWethDelegated calculation error - $0.04

Findings Information

Awards

Labels

External Links

Lines of code

Vulnerability details

Impact

Proof of Concept

Tools Used

Recommended Mitigation Steps

Assessed type

#0 - c4-pre-sort2023-09-07T07:49:36Z

#1 - c4-judge2023-10-20T17:54:27Z

#2 - c4-judge2023-10-21T07:38:54Z

#3 - c4-judge2023-10-21T07:43:57Z

#0 - c4-pre-sort
2023-09-07T07:49:36Z

#1 - c4-judge
2023-10-20T17:54:27Z

#2 - c4-judge
2023-10-21T07:38:54Z

#3 - c4-judge
2023-10-21T07:43:57Z