Platform: Code4rena
Start Date: 21/08/2023
Pot Size: $125,000 USDC
Total HM: 26
Participants: 189
Period: 16 days
Judge: GalloDaSballo
Total Solo HM: 3
Id: 278
League: ETH
Rank: 180/189
Findings: 1
Award: $0.01
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: klau5
Also found by: 0x3b, 0xCiphky, 0xDING99YA, 0xWaitress, 0xbranded, 0xc0ffEE, 0xklh, 0xsurena, 0xvj, ABA, AkshaySrivastav, Anirruth, Aymen0909, Baki, Blockian, BugzyVonBuggernaut, DanielArmstrong, Evo, GangsOfBrahmin, HChang26, Inspex, Jiamin, Juntao, Kow, Krace, KrisApostolov, LFGSecurity, LokiThe5th, Mike_Bello90, Norah, Nyx, QiuhaoLi, RED-LOTUS-REACH, SBSecurity, Snow24, SpicyMeatball, T1MOH, Tendency, Toshii, Udsen, Yanchuan, __141345__, ak1, asui, auditsea, ayden, bart1e, bin2chen, blutorque, carrotsmuggler, chaduke, chainsnake, circlelooper, clash, codegpt, crunch, degensec, dirk_y, ge6a, gjaldon, grearlake, jasonxiale, juancito, ke1caM, kodyvim, kutugu, ladboy233, lanrebayode77, mahdikarimi, max10afternoon, mert_eren, nirlin, nobody2018, oakcobalt, parsely, peakbolt, pks_, pontifex, ravikiranweb3, rokinot, rvierdiiev, said, savi0ur, sces60107, sh1v, sl1, spidy730, tapir, tnquanghuy0512, ubermensch, visualbits, volodya, wintermute
0.0098 USDC - $0.01
https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L201 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L359 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L774
Malicious actors can send small amount of the PerpetualAtlanticVaultLP.collateral token and this way make the PerpetualAtlanticVaultLP.subtractLoss(uint256 loss) function to always revert. Consequently both functions PerpetualAtlanticVault.settle(uint256[] memory optionIds) and RdpxV2Core.settle(uint256[] memory optionIds) would also revert. The impact is that the admin of the RdpxV2Core contract would not be able to settle the options when necessary.
According the Dopex documentation and this blog post (https://blog.dopex.io/articles/dopex-papers/rdpx-v2-for-the-mentally-challenged) dpxEth is backed by 75% ETH, 25% rDPX + 25% OTM rDPX-ETH perpetual put options. These options place a backstop on rDPX of 75% of its initial value so the minimum possible backing of dpxETH is 93.75%. Using the described attack attacker could decrease the backing of dpxETH to 75% which is direct risk for the protocol and may lead to loss of funds. Adding the low cost of execution i conclude the severity should be High.
To test add this function into tests/perp-vault/Unit.t.sol
function testSettleDosPOC() public { weth.mint(address(1), 1 ether); deposit(1 ether, address(1)); vault.purchase(1 ether, address(this)); uint256[] memory ids = new uint256[](1); ids[0] = 0; priceOracle.updateRdpxPrice(0.010 gwei); // ITM weth.transfer(address(vaultLp), 2 * 1e18); vm.expectRevert("Not enough collateral was sent out"); vault.settle(ids); }
Manual testing, Foundry
Replace the operator == with >=.
function subtractLoss(uint256 loss) public onlyPerpVault { require( collateral.balanceOf(address(this)) == _totalCollateral - loss, "Not enough collateral was sent out" ); _totalCollateral -= loss; }
DoS
#0 - c4-pre-sort
2023-09-09T09:55:33Z
bytes032 marked the issue as duplicate of #619
#1 - c4-pre-sort
2023-09-11T16:14:27Z
bytes032 marked the issue as sufficient quality report
#2 - c4-judge
2023-10-21T07:14:32Z
GalloDaSballo marked the issue as satisfactory