Dopex - joaovwfreire's results

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/perp-vault/PerpetualAtlanticVault.sol#L237-L241 https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/perp-vault/PerpetualAtlanticVault.sol#L426-L458

Vulnerability details

Impact

The PerpetualAtlanticVault contract's calculateFunding function determines premiums based on strikes and the fundingDuration. Alterations to the fundingDuration within a single epoch can lead to uneven premium allocations among different strikes:

Strikes processed earlier in the epoch (before the change in fundingDuration) will have their premiums determined based on the original fundingDuration. Any subsequent change to fundingDuration within the same epoch will cause newer strikes (or unclaimed older ones) to have their premiums calculated differently. This differential premium allocation introduces unevenness into the system. Users who claim or deal with strikes later in the epoch could be at a disadvantage or advantage compared to earlier users, depending on the nature of the configuration change.

Proof of Concept

The updateFundingDuration function allows an administrator to set the fundingDuration:

  function updateFundingDuration(
    uint256 _fundingDuration
  ) external onlyRole(DEFAULT_ADMIN_ROLE) {
    fundingDuration = _fundingDuration;
  }

Changes to fundingDuration will affect the timeToExpiry calculation within calculateFunding, leading to different premium values for strikes within the same epoch:

  uint256 timeToExpiry = nextFundingPaymentTimestamp() -
    (genesis + ((latestFundingPaymentPointer - 1) * fundingDuration));

As a result, the premium calculation becomes inconsistent for different strikes processed within the same epoch:

    uint256 premium = calculatePremium(
        strike,
        amount,
        timeToExpiry,
        getUnderlyingPrice()
      );

Tools Used

Manual review

Recommended Mitigation Steps

Modify the updateFundingDuration function to ensure that changes to fundingDuration only take effect in the subsequent epoch. This will ensure even premium distributions for all strikes within any given epoch.

In the PerpetualAtlanticVault contract:

Add a state variable to temporarily store the proposed fundingDuration:

uint256 public proposedFundingDuration;

Modify the updateFundingDuration function to set the proposedFundingDuration rather than directly altering the fundingDuration:

function updateFundingDuration(uint256 _fundingDuration) external onlyRole(DEFAULT_ADMIN_ROLE) {
    require(_fundingDuration > 0, "Funding duration must be greater than zero");
    
    // Store the new value in the proposedFundingDuration, instead of updating fundingDuration directly
    proposedFundingDuration = _fundingDuration;
}

In the updateFundingPaymentPointer function (which seems to be the mechanism that transitions to the next funding epoch), add logic to set the fundingDuration to the value of proposedFundingDuration if it's non-zero:

function updateFundingPaymentPointer() public {
    // ... existing logic ...

    // If proposedFundingDuration has been set, update fundingDuration as the epoch changes
    if (proposedFundingDuration > 0) {
        fundingDuration = proposedFundingDuration;
        proposedFundingDuration = 0;  // Reset it after updating
    }
}

This approach ensures that any updated fundingDuration only takes effect when transitioning to the next funding epoch, preserving even premium calculations throughout the current epoch.

Assessed type

Context