Back to minhquanym's contests

Dopex - minhquanym's results

A rebate system for option writers in the Dopex Protocol.

General Information

Platform: Code4rena

Start Date: 21/08/2023

Pot Size: $125,000 USDC

Total HM: 26

Participants: 189

Period: 16 days

Judge: GalloDaSballo

Total Solo HM: 3

Id: 278

League: ETH

Dopex

Findings Distribution

Researcher Performance

Rank: 131/189

Findings: 1

Award: $19.17

QA:
grade-b

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryDopex

Findings Information

🌟 Selected for report: juancito

Also found by: 0xDING99YA, 0xTiwa, 0xkazim, 0xnev, ABA, ArmedGoose, Aymen0909, Bauchibred, Evo, IceBear, KrisApostolov, MohammedRizwan, Nikki, QiuhaoLi, T1MOH, Toshii, WoolCentaur, Yanchuan, __141345__, asui, bart1e, carrotsmuggler, catellatech, chaduke, codegpt, deadrxsezzz, degensec, dethera, dirk_y, erebus, ether_sky, gjaldon, glcanvas, jasonxiale, josephdara, klau5, kodyvim, ladboy233, lsaudit, minhquanym, parsely, peakbolt, pep7siup, rvierdiiev, said, savi0ur, sces60107, tapir, ubermensch, volodya, zzebra83

Awards

19.1724 USDC - $19.17

Labels

bug
grade-b
QA (Quality Assurance)
sufficient quality report
Q-20

External Links

Link to GitHub issue

Summary

IdTitle
L-1reserveAsset and reserveTokens are not matched since the constructor only pushes to reserveAsset
L-2Not resetting allowance when setting new addresses in setAddresses()
L-3emergencyWithdraw() should transfer tokens to to instead of msg.sender
L-4Duplicate access control check in function mint()
NC-1_beforeTokenTransfer() is removed in newer versions of OpenZeppelin

L-1. reserveAsset and reserveTokens are not matched since the constructor only pushes to reserveAsset

https://github.com/code-423n4/2023-08-dopex/blob/0ea4387a4851cd6c8811dfb61da95a677f3f63ae/contracts/core/RdpxV2Core.sol#L134

Detail

There are two lists in RdpxV2Core that track assets: reserveAsset and reserveTokens. Each asset should be tracked with the same index in both lists.

However, in the constructor, only the zero asset is pushed to reserveAsset, while nothing is pushed to reserveTokens. This causes assets to not be tracked by the same index.

constructor(address _weth) {
  _setupRole(DEFAULT_ADMIN_ROLE, msg.sender);
  weth = _weth;

  // add Zero asset to reserveAsset
  ReserveAsset memory zeroAsset = ReserveAsset({
    tokenAddress: address(0),
    tokenBalance: 0,
    tokenSymbol: "ZERO"
  });
  reserveAsset.push(zeroAsset); // @audit only reserveAsset is updated
  putOptionsRequired = true;
}

Recommendation

Consider making the index of each asset match in both lists.

L-2. Not resetting allowance when setting new addresses in setAddresses()

https://github.com/code-423n4/2023-08-dopex/blob/0ea4387a4851cd6c8811dfb61da95a677f3f63ae/contracts/core/RdpxV2Core.sol#L339

Detail

When setting new addresses by calling the setAddresses() function, the new addresses of Vault, Router, and Pool are given the maximum allowance. However, the allowance given to the old addresses is not reset. This is risky if the old contracts have issues that need to be mitigated by migrating to the new contract.

Recommendation

Reset the old allowance when setting new addresses.

L-3. emergencyWithdraw() should transfer tokens to to instead of msg.sender

Link: https://github.com/code-423n4/2023-08-dopex/blob/0ea4387a4851cd6c8811dfb61da95a677f3f63ae/contracts/decaying-bonds/RdpxDecayingBonds.sol#L105

Details

The function emergencyWithdraw() has a parameter to that specifies the address that should receive the funds. However, it currently transfers funds to msg.sender, which may not be intended.

Recommendation

Transfer funds to to instead of msg.sender.

L-4. Duplicate access control check in function mint()

Link: https://github.com/code-423n4/2023-08-dopex/blob/0ea4387a4851cd6c8811dfb61da95a677f3f63ae/contracts/decaying-bonds/RdpxDecayingBonds.sol#L120

Details

The role of the sender is already checked in the modifier onlyRole(). However, it is checked again in the function, which is unnecessary.

function mint(
  address to,
  uint256 expiry,
  uint256 rdpxAmount
) external onlyRole(MINTER_ROLE) {
  _whenNotPaused();
  require(hasRole(MINTER_ROLE, msg.sender), "Caller is not a minter"); // @audit duplicate check with modifier
  uint256 bondId = _mintToken(to);
  bonds[bondId] = Bond(to, expiry, rdpxAmount);

  emit BondMinted(to, bondId, expiry, rdpxAmount);
}

Recommendation

Remove the modifier or the require check.

NC-1. _beforeTokenTransfer() is removed in newer versions of OpenZeppelin

Link: https://github.com/code-423n4/2023-08-dopex/blob/0ea4387a4851cd6c8811dfb61da95a677f3f63ae/contracts/dpxETH/DpxEthToken.sol#L55

Details

In newer versions of the OpenZeppelin (OZ) library, _beforeTokenTransfer() has been removed. If this version of OZ is used, overriding _beforeTokenTransfer() will not do anything.

Recommendation

Review the current version of OZ and consider upgrading to use the latest version.

#0 - c4-pre-sort

2023-09-10T11:44:59Z

bytes032 marked the issue as sufficient quality report

#1 - GalloDaSballo

2023-10-10T11:21:00Z

L-1 reserveAsset and reserveTokens are not matched since the constructor only pushes to reserveAsset L

L-2 Not resetting allowance when setting new addresses in setAddresses() L

L-3 emergencyWithdraw() should transfer tokens to to instead of msg.sender L

L-4 Duplicate access control check in function mint() L

NC-1 _beforeTokenTransfer() is removed in newer versions of OpenZeppelin I, if that was the case it wouldn't compile since you must override something when you use the keyowrd

#2 - GalloDaSballo

2023-10-19T07:48:19Z

4L

#3 - c4-judge

2023-10-20T10:21:48Z

GalloDaSballo marked the issue as grade-b

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter