Platform: Code4rena
Start Date: 21/08/2023
Pot Size: $125,000 USDC
Total HM: 26
Participants: 189
Period: 16 days
Judge: GalloDaSballo
Total Solo HM: 3
Id: 278
League: ETH
Rank: 32/189
Findings: 3
Award: $648.93
🌟 Selected for report: 0
🚀 Solo Findings: 0
🌟 Selected for report: LokiThe5th
Also found by: Nikki, __141345__, mahdikarimi, peakbolt, rvierdiiev, wintermute
631.6175 USDC - $631.62
https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L315-L369 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L145-L175
PerpetualAtlanticVaultLP share holder can front-run settlement and withdraw his funds from available collateral to escape loss after settlement.
when a new option is created required collateral for settlement has been locked in PerpetualAtlanticVaultLP , although this ensures full settlement but malicious user can front-run settlement and withdraw from available collateral of PerpetualAtlanticVaultLP and escape loss , this loss amount is added to other vault share holders loss.
Malicious user escape from loss and add to vault share holders loss
Consider a scenario that there are 100 collateral and 10 shares in a PerpetualAtlanticVaultLP , 50 of collateral has been locked for settle option positions if required , and a user holds 5 shares in this vault. 1 - an option hits strike price and admin calls settle function . 2 - as 50 collateral is available in vault , malicious user front-runs settlement and withdraw 50 collateral ( for 5 shares ) , malicious user exited contract without loss 3 - then settlement happens and loss for other vault share holders doubles .
Manual Review
Consider lock user shares proportion to active collateral and total supply .
Other
#0 - c4-pre-sort
2023-09-10T07:26:26Z
bytes032 marked the issue as low quality report
#1 - bytes032
2023-09-10T07:26:42Z
The warden claims a malicious user can escape from loss, but doesn't show how.
#2 - GalloDaSballo
2023-10-16T08:57:16Z
I overall think these reports are wrong ITM -> You want settle OTM -> You cannot redeem
Missing proof for real damages
#3 - c4-judge
2023-10-16T08:57:22Z
GalloDaSballo marked the issue as unsatisfactory: Invalid
#4 - c4-judge
2023-10-20T19:05:36Z
GalloDaSballo marked the issue as duplicate of #1584
#5 - c4-judge
2023-10-20T19:05:43Z
GalloDaSballo marked the issue as partial-50
🌟 Selected for report: klau5
Also found by: 0x3b, 0xCiphky, 0xDING99YA, 0xWaitress, 0xbranded, 0xc0ffEE, 0xklh, 0xsurena, 0xvj, ABA, AkshaySrivastav, Anirruth, Aymen0909, Baki, Blockian, BugzyVonBuggernaut, DanielArmstrong, Evo, GangsOfBrahmin, HChang26, Inspex, Jiamin, Juntao, Kow, Krace, KrisApostolov, LFGSecurity, LokiThe5th, Mike_Bello90, Norah, Nyx, QiuhaoLi, RED-LOTUS-REACH, SBSecurity, Snow24, SpicyMeatball, T1MOH, Tendency, Toshii, Udsen, Yanchuan, __141345__, ak1, asui, auditsea, ayden, bart1e, bin2chen, blutorque, carrotsmuggler, chaduke, chainsnake, circlelooper, clash, codegpt, crunch, degensec, dirk_y, ge6a, gjaldon, grearlake, jasonxiale, juancito, ke1caM, kodyvim, kutugu, ladboy233, lanrebayode77, mahdikarimi, max10afternoon, mert_eren, nirlin, nobody2018, oakcobalt, parsely, peakbolt, pks_, pontifex, ravikiranweb3, rokinot, rvierdiiev, said, savi0ur, sces60107, sh1v, sl1, spidy730, tapir, tnquanghuy0512, ubermensch, visualbits, volodya, wintermute
0.0049 USDC - $0.00
https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L359-L361 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L200-L203
Attacker can perform inflation attack on PerpetualAtlanticVaultLP and force subtractLoss( used in settlement ) function to revert .
Settle function in PerpetualAtlanticVault transfers collateral token from perpetual vault to rdpxV2Core then calls subtractLoss to report transfer to PerpetualAtlanticVaultLP , in subtractLoss there is a check that ensures
token balance of contract is equal to _totalCollateral - loss (loss is reported transfer amount).
require(collateral.balanceOf(address(this)) == _totalCollateral - loss,);
however if someone transfer some collateral token to contract this check always reverts and settlements get blocked .
Positions can't be settled and assets will get stuck in Vault
Manual Review
You can check contract balance before transfer and track balance change .
Other
#0 - c4-pre-sort
2023-09-09T09:56:58Z
bytes032 marked the issue as duplicate of #619
#1 - c4-pre-sort
2023-09-11T16:14:29Z
bytes032 marked the issue as sufficient quality report
#2 - c4-judge
2023-10-20T19:31:45Z
GalloDaSballo marked the issue as partial-50
#3 - GalloDaSballo
2023-10-20T19:31:59Z
Low quality but valid
Consider: -> Writing short sentences -> Add code -> Write POC
🌟 Selected for report: said
Also found by: 0Kage, 0xCiphky, 0xkazim, 836541, AkshaySrivastav, Evo, HChang26, HHK, KrisApostolov, Neon2835, QiuhaoLi, Tendency, Toshii, bart1e, bin2chen, carrotsmuggler, chaduke, etherhood, gjaldon, glcanvas, josephdara, lanrebayode77, mahdikarimi, max10afternoon, nobody2018, peakbolt, qpzm, rvierdiiev, sces60107, tapir, ubermensch, volodya
17.313 USDC - $17.31
Attacker can deposit and redeem in same transaction to steal funding payment
when a user deposits into PerpetualAtlanticVaultLP ,deposit function calculates amount of shares to be minted based on total supply and total collateral then calls perpetualAtlanticVault.updateFunding() to calculate and transfer pending funding to PerpetualAtlanticVaultLP , as new collateral has been added to vault value of shares increased and if user redeems it instantly he will get more than deposit amount , for example if user has deposited as much as 50% of vault collateral he will get 50% of assest transferred via updateFunding so if he use flash loans he can take most of the fundings that has been paid to vault , this also can be used to take premium free options .
Attacker can steal funding payments made to PerpetualAtlanticVaultLP
Let's say there is 1000 collateral in vault with total supply of 1000 . 1 - Alice takes a flashloan of 10000 collateral . 2 - Alice deposits 10000 collateral to vault ( 10000 shares calculated to mint for alice ) . 3 - deposit function calls updateFunding which transferes ( for example ) 100 collateral as funding and adds value to each vault share . 4 - 10000 shares has been minted for alice . 5 - Alice redeems all of her 10000 shares ans she'll receive nearly 10100 collateral instantly .
Manual Review
Consider call perpetualAtlanticVault.updateFunding() before calculating shares .
Other
#0 - c4-pre-sort
2023-09-08T14:11:55Z
bytes032 marked the issue as duplicate of #867
#1 - c4-pre-sort
2023-09-11T09:08:07Z
bytes032 marked the issue as sufficient quality report
#2 - c4-judge
2023-10-20T19:25:38Z
GalloDaSballo marked the issue as satisfactory