Dopex - ke1caM's results

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L764-L783

Vulnerability details

Summary

Anyone can front-run a settle function causing DoS and making protocol not functional. Protocol will not be able to settle options.

Vulnerability details

Faulty code is located in PerpetualAtlanticVaultLP contract, exactly in subtractLoss function. The require statement checks if the collateral balance of this contract is equal to contract's total collateral - loss (collateral.balanceOf(address(this)) == _totalCollateral - loss). An attacker can send the smallest amount of collateral token like 1 and make this require statement revert every time. Direct transfer will not update _totalCollateral variable. This makes it impossible to successfully call settle. In PerpetualAtlanticVaultLP contract there is no sync function (like in other contracts) or any other way to directly balance the _totalCollateral state. Protocol could find a way to sync the values but then another direct transfer would cause another revert.

PoC / Scenario

1. Admin calls settle with optionsIds parameter.
2. Attacker front-runs admin's transaction and directly transfers little amount of collateral token to PerpetualAtlanticVaultLP.
3. Function checks if contract's state is paused and then calls settle in PerpetualAtlanticVault contract passing down ipnut data.
4. PerpetualAtlanticVault settle function checks if contract is paused, if the sender is eligible, calls updateFunding() and starts looping through optionIds calculating ethAmount (and other variables that are not relevant in this exploit scenario).
5. Later function transfers ethAmount from vault to core contract and rdpxAmount from core contract to vault.
6. Finally the subtractLoss in PerpetualAtlanticVaultLP is called with ethAmount as a parameter.
7. subtractLoss checks if contract token balance is equal to total collateral - loss (collateral.balanceOf(address(this)) == _totalCollateral - loss) and reverts because of inequality caused by direct transfer, by the attacker, to the PerpetualAtlanticVaultLP contract.

https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L764-L783 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L315-L368 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L200-L203

Impact

As a result options can't be settled and the perks of these settlements won't be avalible to users (such as receiving rdpx). Protocol functionality and some fundamental operations are disturbed.

Tools used

Manual analysis, Foundry

Recomendations

Implement sync function similar to function in RdpxV2Core. This function will synchronize token balance of the contract with _totalCollateral variable. Calling it before transfering tokens will ensure that the direct transfers are not a threat to internal accounting.

Assessed type

DoS