Platform: Code4rena
Start Date: 21/08/2023
Pot Size: $125,000 USDC
Total HM: 26
Participants: 189
Period: 16 days
Judge: GalloDaSballo
Total Solo HM: 3
Id: 278
League: ETH
Rank: 169/189
Findings: 2
Award: $0.05
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: klau5
Also found by: 0x3b, 0xCiphky, 0xDING99YA, 0xWaitress, 0xbranded, 0xc0ffEE, 0xklh, 0xsurena, 0xvj, ABA, AkshaySrivastav, Anirruth, Aymen0909, Baki, Blockian, BugzyVonBuggernaut, DanielArmstrong, Evo, GangsOfBrahmin, HChang26, Inspex, Jiamin, Juntao, Kow, Krace, KrisApostolov, LFGSecurity, LokiThe5th, Mike_Bello90, Norah, Nyx, QiuhaoLi, RED-LOTUS-REACH, SBSecurity, Snow24, SpicyMeatball, T1MOH, Tendency, Toshii, Udsen, Yanchuan, __141345__, ak1, asui, auditsea, ayden, bart1e, bin2chen, blutorque, carrotsmuggler, chaduke, chainsnake, circlelooper, clash, codegpt, crunch, degensec, dirk_y, ge6a, gjaldon, grearlake, jasonxiale, juancito, ke1caM, kodyvim, kutugu, ladboy233, lanrebayode77, mahdikarimi, max10afternoon, mert_eren, nirlin, nobody2018, oakcobalt, parsely, peakbolt, pks_, pontifex, ravikiranweb3, rokinot, rvierdiiev, said, savi0ur, sces60107, sh1v, sl1, spidy730, tapir, tnquanghuy0512, ubermensch, visualbits, volodya, wintermute
0.0098 USDC - $0.01
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L764-#L783 https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/perp-vault/PerpetualAtlanticVault.sol#L315-#L369 https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L200-#L203
Attacker can DoS settle() function's execution, lead to loss of fund
When admin call RDPXV2Core#settle() , it will make a call to PerpetualAtlanticVault#settle():
(amountOfWeth, rdpxAmount) = IPerpetualAtlanticVault( addresses.perpetualAtlanticVault ).settle(optionIds);
In PerpetualAtlanticVault#settle(), there is a call to PerpetualAtlanticVaultLP#subtractLoss():
IPerpetualAtlanticVaultLP(addresses.perpetualAtlanticVaultLP) .subtractLoss(ethAmount);
Problem raised in require condition in PerpetualAtlanticVaultLP#subtractLoss():
function subtractLoss(uint256 loss) public onlyPerpVault { require( collateral.balanceOf(address(this)) == _totalCollateral - loss, //<------------ "Not enough collateral was sent out" ); _totalCollateral -= loss; }
In PerpetualAtlanticVaultLP, _totalCollateral does not accurately reflect amount of collateral in contract. Attacker simply just need to directly deposit any token to PerpetualAtlanticVaultLP but not in deposit() function, this condition will be break, which make function being reverted.
Manual review.
It is really hard to fix this issue, other mechanism should be implemented to mitigrate this problem
DoS
#0 - c4-pre-sort
2023-09-09T05:59:46Z
bytes032 marked the issue as duplicate of #619
#1 - c4-pre-sort
2023-09-11T16:14:01Z
bytes032 marked the issue as sufficient quality report
#2 - c4-judge
2023-10-20T19:35:27Z
GalloDaSballo marked the issue as satisfactory
🌟 Selected for report: 0xrafaelnicolau
Also found by: 0x111, 0xCiphky, 0xMosh, 0xWaitress, 0xc0ffEE, 0xkazim, 0xnev, 0xvj, ABAIKUNANBAEV, Aymen0909, Baki, ElCid, HChang26, HHK, Inspex, Jorgect, Kow, Krace, KrisApostolov, LFGSecurity, MiniGlome, Nyx, QiuhaoLi, RED-LOTUS-REACH, Talfao, Toshii, Vagner, Viktor_Cortess, Yanchuan, _eperezok, asui, atrixs6, bart1e, bin2chen, carrotsmuggler, chaduke, chainsnake, deadrxsezzz, degensec, dethera, dimulski, dirk_y, ether_sky, gizzy, glcanvas, grearlake, gumgumzum, halden, hals, kodyvim, koo, ladboy233, lanrebayode77, max10afternoon, minhtrng, mussucal, nobody2018, peakbolt, pontifex, qbs, ravikiranweb3, rvierdiiev, said, tapir, ubermensch, volodya, wintermute, yashar, zaevlad, zzebra83
0.0367 USDC - $0.04
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L975-#L990
balance of token will be counted wrong because of wrong counting totalWethDelegated in contract
We have this scenario: 1, User A addToDelegate() with amount = 10, totalWethDelegated = 10 2, User B call bondWithDelegate() with delegateId belong to user A, amount = 2, totalWethDelegated = 8 3, User A withdraw rest of non-active collateral, totalWethDelegated = 8
Root cause is in withdraw() function, totalWethDelegated value is not updated when user withdraw, which lead to wrong counting in sync() function:
function sync() external { for (uint256 i = 1; i < reserveAsset.length; i++) { uint256 balance = IERC20WithBurn(reserveAsset[i].tokenAddress) .balanceOf(address(this)); if (weth == reserveAsset[i].tokenAddress) { balance = balance - totalWethDelegated; } reserveAsset[i].tokenBalance = balance; } emit LogSync(); }
Manual review
Minus totalWethDelegated when withdraw weth
Other
#0 - c4-pre-sort
2023-09-08T13:28:06Z
bytes032 marked the issue as duplicate of #2186
#1 - c4-judge
2023-10-20T17:56:44Z
GalloDaSballo marked the issue as satisfactory
#2 - c4-judge
2023-10-21T07:38:54Z
GalloDaSballo changed the severity to 3 (High Risk)
#3 - c4-judge
2023-10-21T07:46:56Z
GalloDaSballo marked the issue as partial-25