Platform: Code4rena
Start Date: 21/08/2023
Pot Size: $125,000 USDC
Total HM: 26
Participants: 189
Period: 16 days
Judge: GalloDaSballo
Total Solo HM: 3
Id: 278
League: ETH
Rank: 166/189
Findings: 1
Award: $0.07
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: 0xrafaelnicolau
Also found by: 0x111, 0xCiphky, 0xMosh, 0xWaitress, 0xc0ffEE, 0xkazim, 0xnev, 0xvj, ABAIKUNANBAEV, Aymen0909, Baki, ElCid, HChang26, HHK, Inspex, Jorgect, Kow, Krace, KrisApostolov, LFGSecurity, MiniGlome, Nyx, QiuhaoLi, RED-LOTUS-REACH, Talfao, Toshii, Vagner, Viktor_Cortess, Yanchuan, _eperezok, asui, atrixs6, bart1e, bin2chen, carrotsmuggler, chaduke, chainsnake, deadrxsezzz, degensec, dethera, dimulski, dirk_y, ether_sky, gizzy, glcanvas, grearlake, gumgumzum, halden, hals, kodyvim, koo, ladboy233, lanrebayode77, max10afternoon, minhtrng, mussucal, nobody2018, peakbolt, pontifex, qbs, ravikiranweb3, rvierdiiev, said, tapir, ubermensch, volodya, wintermute, yashar, zaevlad, zzebra83
0.0734 USDC - $0.07
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L1002
Storage variable totalWethDelegated can be easily manipulated if malicious user deposit big amount of weth and than imidieatly withdraw through withdraw functions. When normal user deposit weth they call addToDelegate function and deposited amount is added to totalWethDelegated: totalWethDelegated += _amount. When user bond with delegate he call bondWithDelegate and only weth required is substracted from totalWethDelegated totalWethDelegated -= wethRequired
The storage variable totalWethDelegated can be easily manipulated if a malicious user deposits a large amount of WETH and immediately withdraws it through the withdraw function. When a normal user deposits WETH, they call the addToDelegate function, and the deposited amount is added to totalWethDelegated: totalWethDelegated += _amount. When a user bonds with a delegate, they call the bondWithDelegate function and only the required WETH is subtracted from totalWethDelegated: totalWethDelegated -= wethRequired.
Unfortunatly, when user withdraw your weth through withdraw function variable totalWethDelegated is not substracted but balance of contract will deacrease because eth are transfered to user: IERC20WithBurn(weth).safeTransfer(msg.sender, amountWithdrawn). This open vulnarability because totalWethDelegated will be bigger than actual balance and function sync will revert during arithmetic underflow
Unfortunately, when a user withdraws their WETH through the withdraw function, the variable totalWethDelegated is not subtracted. Instead, the contract's balance decreases because WETH is transferred to the user using this line of code: IERC20WithBurn(weth).safeTransfer(msg.sender, amountWithdrawn). This creates a vulnerability because totalWethDelegated will be larger than the actual balance and the sync function will revert due to an arithmetic underflow. balance = balance - totalWethDelegated
Test:
function testManipulateTotalWethDelegated() public { // add 2weth uint delegateId = rdpxV2Core.addToDelegate(2 * 1e18, 10e8); // withdraw 2weth rdpxV2Core.withdraw(delegateId); // rdpxV2Core.sync(); -> this will revert if it is called. uint256 contractBalance = weth.balanceOf(address(rdpxV2Core)); uint256 totalWethDelegated = rdpxV2Core.totalWethDelegated(); // Revert assertEq(contractBalance, totalWethDelegated); }
Manual Review
Substract amountWithdrawn from totalWethDelegated when withdraw function is called.
Under/Overflow
#0 - c4-pre-sort
2023-09-08T12:18:37Z
bytes032 marked the issue as duplicate of #2186
#1 - c4-judge
2023-10-20T17:52:51Z
GalloDaSballo marked the issue as satisfactory
#2 - c4-judge
2023-10-20T17:55:32Z
GalloDaSballo changed the severity to 2 (Med Risk)
#3 - c4-judge
2023-10-21T07:38:54Z
GalloDaSballo changed the severity to 3 (High Risk)
#4 - c4-judge
2023-10-21T07:40:56Z
GalloDaSballo marked the issue as partial-50