Back to ayden's contests

Dopex - ayden's results

A rebate system for option writers in the Dopex Protocol.

General Information

Platform: Code4rena

Start Date: 21/08/2023

Pot Size: $125,000 USDC

Total HM: 26

Participants: 189

Period: 16 days

Judge: GalloDaSballo

Total Solo HM: 3

Id: 278

League: ETH

Dopex

Findings Distribution

Researcher Performance

Rank: 117/189

Findings: 3

Award: $40.77

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryDopex

Findings Information

🌟 Selected for report: klau5

Also found by: 0x3b, 0xCiphky, 0xDING99YA, 0xWaitress, 0xbranded, 0xc0ffEE, 0xklh, 0xsurena, 0xvj, ABA, AkshaySrivastav, Anirruth, Aymen0909, Baki, Blockian, BugzyVonBuggernaut, DanielArmstrong, Evo, GangsOfBrahmin, HChang26, Inspex, Jiamin, Juntao, Kow, Krace, KrisApostolov, LFGSecurity, LokiThe5th, Mike_Bello90, Norah, Nyx, QiuhaoLi, RED-LOTUS-REACH, SBSecurity, Snow24, SpicyMeatball, T1MOH, Tendency, Toshii, Udsen, Yanchuan, __141345__, ak1, asui, auditsea, ayden, bart1e, bin2chen, blutorque, carrotsmuggler, chaduke, chainsnake, circlelooper, clash, codegpt, crunch, degensec, dirk_y, ge6a, gjaldon, grearlake, jasonxiale, juancito, ke1caM, kodyvim, kutugu, ladboy233, lanrebayode77, mahdikarimi, max10afternoon, mert_eren, nirlin, nobody2018, oakcobalt, parsely, peakbolt, pks_, pontifex, ravikiranweb3, rokinot, rvierdiiev, said, savi0ur, sces60107, sh1v, sl1, spidy730, tapir, tnquanghuy0512, ubermensch, visualbits, volodya, wintermute

Awards

0.0098 USDC - $0.01

Labels

bug
3 (High Risk)
satisfactory
sufficient quality report
duplicate-1227

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L199#L205

Vulnerability details

Impact

when calculating subtractLoss it's based on the balance of vaultLp contract,anyone can transfer into 1wei collateral token to interrupt the settle invocation.

  function subtractLoss(uint256 loss) public onlyPerpVault {
    require(
      collateral.balanceOf(address(this)) == _totalCollateral - loss, //@audit strict equality ?
      "Not enough collateral was sent out"
    );
    _totalCollateral -= loss;
  }

Proof of Concept

add test case funtion in perp-vault/Intergration.t.sol: function testSubtractLossNotEqError() public { address maliciousUser = address(101); setApprovals(maliciousUser); mintWeth(25 ether, maliciousUser); deposit(1 ether, maliciousUser);

// premium = 100 * 0.05 weth = 5 weth
uint256 tokenId = purchase(1 ether, address(this));

assertEq(vault.latestFundingPaymentPointer(), 0);

skip(86500); // expires epoch 1
vault.updateFunding();

vault.updateFundingPaymentPointer();
assertEq(vault.latestFundingPaymentPointer(), 1); //expire; new epoch = 1

uint256[] memory strikes = new uint256[](1);
strikes[0] = 0.015 gwei;

vm.startPrank(address(this));
uint256[] memory tokenIds = new uint256[](1);
tokenIds[0] = tokenId;

priceOracle.updateRdpxPrice(0.010 gwei);

//==== use maliciousUser to transfer 1 wei weth into LP contract =====//
vm.stopPrank();
vm.startPrank(maliciousUser);
weth.transfer(address(vaultLp), 1 wei);
vm.expectRevert("Not enough collateral was sent out");
//==== use maliciousUser to transfer 1 wei weth into LP contract =====//

vm.stopPrank();
vm.startPrank(address(this));
vault.settle(tokenIds);

}

Tools Used

manure

use >= instead of ==

Assessed type

Math

#0 - c4-pre-sort

2023-09-09T10:01:03Z

bytes032 marked the issue as duplicate of #619

#1 - c4-pre-sort

2023-09-11T16:15:13Z

bytes032 marked the issue as sufficient quality report

#2 - c4-judge

2023-10-20T19:34:52Z

GalloDaSballo marked the issue as satisfactory

Findings Information

🌟 Selected for report: 0xTheC0der

Also found by: 0Kage, 0xDING99YA, 0xHelium, 0xbranded, 836541, ABA, Kow, QiuhaoLi, SpicyMeatball, T1MOH, __141345__, alexfilippov314, ayden, bart1e, bin2chen, chaduke, degensec, jasonxiale, joaovwfreire, nirlin, peakbolt, pep7siup, rvierdiiev, tnquanghuy0512

Awards

15.9268 USDC - $15.93

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
sufficient quality report
duplicate-850

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/perp-vault/PerpetualAtlanticVault.sol#L237#L241

Vulnerability details

Impact

When the administrator delays or shortens the epoch period, the currentFundingRate calculated based on the epoch dependency may become inconsistent.

Proof of Concept

  function _updateFundingRate(uint256 amount) private { //@audit-info amount of weth.
    if (fundingRates[latestFundingPaymentPointer] == 0) {
      uint256 startTime;
      if (lastUpdateTime > nextFundingPaymentTimestamp() - fundingDuration) {
        startTime = lastUpdateTime;
      } else {
        startTime = nextFundingPaymentTimestamp() - fundingDuration;
      }
      uint256 endTime = nextFundingPaymentTimestamp();
      fundingRates[latestFundingPaymentPointer] =
        (amount * 1e18) /
        (endTime - startTime);
    } else {
      uint256 startTime = lastUpdateTime;
      uint256 endTime = nextFundingPaymentTimestamp(); //-< based on period
      if (endTime == startTime) return; //@audit-info .
      fundingRates[latestFundingPaymentPointer] =
        fundingRates[latestFundingPaymentPointer] +
        ((amount * 1e18) / (endTime - startTime));
    }
  }
  function nextFundingPaymentTimestamp()
    public
    view
    returns (uint256 timestamp)
  {
    return genesis + (latestFundingPaymentPointer * fundingDuration);
  }

when calculating current epoch fundingRates it's based on the epoch period. when fundingRates[latestFundingPaymentPointer] !=0,startTime is lastUpdateTime and endTime is genesis + (latestFundingPaymentPointer * fundingDuration).Therefore the endTime is related fundingDuration(the length of the epoch period).

However, there are no checks when setting the fundingDuration. The administrator can set it at any time. If the fundingRates in the current period are not zero, then the fundingRates set before and after will be inconsistent, leading to incorrect amounts being sent However, there are no checks when setting the fundingDuration. The administrator can set it at any time. If the fundingRates in the current period are not 0, then the fundingRates set before and after will be inconsistent, leading to incorrect amounts being sent.

Tools Used

manure

checking fundingRates before updateFundingDuration.

Assessed type

Context

#0 - c4-pre-sort

2023-09-08T06:25:20Z

bytes032 marked the issue as duplicate of #980

#1 - c4-pre-sort

2023-09-11T08:20:16Z

bytes032 marked the issue as sufficient quality report

#2 - c4-judge

2023-10-20T11:09:32Z

GalloDaSballo changed the severity to 2 (Med Risk)

#3 - c4-judge

2023-10-20T11:11:39Z

GalloDaSballo marked the issue as satisfactory

Findings Information

🌟 Selected for report: degensec

Also found by: 0x3b, 0xnev, HChang26, KmanOfficial, QiuhaoLi, T1MOH, WoolCentaur, Yanchuan, ayden, bart1e, jasonxiale, kutugu, mert_eren, nirlin, peakbolt, peanuts, pep7siup, qpzm, tapir, ubermensch, wintermute

Awards

24.8267 USDC - $24.83

Labels

bug
2 (Med Risk)
downgraded by judge
satisfactory
sufficient quality report
duplicate-153

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/reLP/ReLPContract.sol#L202#L307

Vulnerability details

Impact

some weth will be stuck in the ReLPContract indefinitely.Furthermore, there is no withdrawal function provided in the contract.

when addLiquidity amountAMin and amountBMin is set to zero.Therefor the amount for addLiquidity is not sure.After addLiquidity some weth may not used and not transfer to rdpxV2Core like rdpx.

Proof of Concept

I add a test case in rdpxV2-core/Periphery.t.sol file,check the balance before invoke reLP and check the balance after reLP we can find that the balance of weth is bigger than zero:

  function testReLpWethStuckInContract() public {
    testV2Amo();

    // set address in reLP contract and grant role
    reLpContract.setAddresses(
      address(rdpx),
      address(weth),
      address(pair),
      address(rdpxV2Core),
      address(rdpxReserveContract),
      address(uniV2LiquidityAMO),
      address(rdpxPriceOracle),
      address(factory),
      address(router)
    );
    reLpContract.grantRole(reLpContract.RDPXV2CORE_ROLE(), address(rdpxV2Core));

    //set reLp factor.
    reLpContract.setreLpFactor(9e4);

    // add liquidity  
    uniV2LiquidityAMO.addLiquidity(5e18, 1e18, 0, 0);
    uniV2LiquidityAMO.approveContractToSpend(
      address(pair),
      address(reLpContract),
      type(uint256).max
    );

    //=================================================//
    //check balance before bond , before balance is zero.
    assertEq(pair.balanceOf(address(reLpContract)),0);
    assertEq(rdpx.balanceOf(address(reLpContract)),0);
    assertEq(weth.balanceOf(address(reLpContract)),0);
    //=================================================//

    //active reLP.
    rdpxV2Core.setIsreLP(true);
    rdpxV2Core.bond(1 * 1e18, 0, address(this));
    
    assertEq(rdpx.balanceOf(address(reLpContract)),0);
    
    //==================================================//
    //after reLP opration some weth stuck in contract.
    assertGt(weth.balanceOf(address(reLpContract)),0);
    //==================================================//
  }

Tools Used

manure

we should transfer weth to rdpxV2Core like rdpx.

Assessed type

Context

#0 - c4-pre-sort

2023-09-10T07:48:54Z

bytes032 marked the issue as duplicate of #1286

#1 - c4-pre-sort

2023-09-11T15:38:20Z

bytes032 marked the issue as sufficient quality report

#2 - c4-judge

2023-10-10T17:52:40Z

GalloDaSballo changed the severity to 2 (Med Risk)

#3 - c4-judge

2023-10-18T12:14:03Z

GalloDaSballo marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter