Back to minhtrng's contests

Dopex - minhtrng's results

A rebate system for option writers in the Dopex Protocol.

General Information

Platform: Code4rena

Start Date: 21/08/2023

Pot Size: $125,000 USDC

Total HM: 26

Participants: 189

Period: 16 days

Judge: GalloDaSballo

Total Solo HM: 3

Id: 278

League: ETH

Dopex

Findings Distribution

Researcher Performance

Rank: 85/189

Findings: 2

Award: $96.40

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryDopex

Findings Information

🌟 Selected for report: LokiThe5th

Also found by: 0xPsuedoPandit, 0xTiwa, 0xnev, 0xvj, Evo, Jiamin, Juntao, QiuhaoLi, T1MOH, Udsen, circlelooper, crunch, eeshenggoh, gjaldon, hals, josephdara, kutugu, minhtrng, niki, umarkhatab_465

Awards

96.3292 USDC - $96.33

Labels

bug
3 (High Risk)
satisfactory
upgraded by judge
sufficient quality report
duplicate-549

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L1240-L1241

Vulnerability details

Impact

The core contract expects the price oracle to return 1e8 precision, but its actually 1e18. This will cause heavily incorrect results from all usages of the price.

Proof of Concept

The RdpxV2Core.getRdpxPrice function is meant to return 1e8 precision:

   * @notice Returns the price of rDPX against ETH
   * @dev    Price is in 1e8 Precision
   * @return rdpxPriceInEth rDPX price in ETH
   **/
  function getRdpxPrice() public view returns (uint256) {
    return
      IRdpxEthOracle(pricingOracleAddresses.rdpxPriceOracle)
        .getRdpxPriceInEth();
  }

It can be seen that the value of IRdpxEthOracle is returned unchanged. Now looking at the implementation of RdpxEthOracle.getRdpxPriceInEth:

/// @notice Returns the price of rDPX in ETH
/// @return price price of rDPX in ETH in 1e18 decimals
//@tagged RdpxV2Core.bondWithDelegate
function getRdpxPriceInEth() external view override returns (uint price) {
    require(
        blockTimestampLast + timePeriod + nonUpdateTolerance >
            block.timestamp,
        "RdpxEthOracle: UPDATE_TOLERANCE_EXCEEDED"
    );

    price = consult(token0, 1e18);

    require(price > 0, "RdpxEthOracle: PRICE_ZERO");
}

As can be seen, the precision is 1e18.

Tools Used

Manual Review

Divide the result from getRdpxPriceInEth by 1e10 to get 1e8 precision

Assessed type

Other

#0 - c4-pre-sort

2023-09-09T05:08:20Z

bytes032 marked the issue as duplicate of #549

#1 - c4-pre-sort

2023-09-12T05:17:41Z

bytes032 marked the issue as sufficient quality report

#2 - c4-judge

2023-10-20T18:28:05Z

GalloDaSballo marked the issue as satisfactory

#3 - c4-judge

2023-10-20T18:28:12Z

GalloDaSballo changed the severity to 2 (Med Risk)

#4 - c4-judge

2023-10-20T18:28:21Z

GalloDaSballo changed the severity to 3 (High Risk)

Findings Information

🌟 Selected for report: 0xrafaelnicolau

Also found by: 0x111, 0xCiphky, 0xMosh, 0xWaitress, 0xc0ffEE, 0xkazim, 0xnev, 0xvj, ABAIKUNANBAEV, Aymen0909, Baki, ElCid, HChang26, HHK, Inspex, Jorgect, Kow, Krace, KrisApostolov, LFGSecurity, MiniGlome, Nyx, QiuhaoLi, RED-LOTUS-REACH, Talfao, Toshii, Vagner, Viktor_Cortess, Yanchuan, _eperezok, asui, atrixs6, bart1e, bin2chen, carrotsmuggler, chaduke, chainsnake, deadrxsezzz, degensec, dethera, dimulski, dirk_y, ether_sky, gizzy, glcanvas, grearlake, gumgumzum, halden, hals, kodyvim, koo, ladboy233, lanrebayode77, max10afternoon, minhtrng, mussucal, nobody2018, peakbolt, pontifex, qbs, ravikiranweb3, rvierdiiev, said, tapir, ubermensch, volodya, wintermute, yashar, zaevlad, zzebra83

Awards

0.0734 USDC - $0.07

Labels

bug
3 (High Risk)
partial-50
upgraded by judge
duplicate-239

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L986-L987

Vulnerability details

Impact

The accounting for total weth delegated increases when adding, but not withdrawing. This allows anyone to inflate this value by repeatedly adding and withdrawing. This again will cause DOS of the bonding mechanism.

Proof of Concept

RdpxV2Core.addToDelegate increases totalWethDelegated while RdpxV2Core.withdraw does not decrease it:

  function addToDelegate(
    uint256 _amount,
    uint256 _fee
  ) external returns (uint256) {
    ...
    // add amount to total weth delegated
    totalWethDelegated += _amount;
  }

This can be used to increase the value of totalWethDelegated through repeatedly adding and withdrawing. This value is used in RdpxV2Core.sync (which gets called in the bonding process) as part of a subtraction:

balance = balance - totalWethDelegated;

This will cause an underflow and break the bonding.

Tools Used

Manual Review

Decrease totalWethDelegated when withdrawing

Assessed type

Other

#0 - c4-pre-sort

2023-09-07T10:25:40Z

bytes032 marked the issue as duplicate of #2186

#1 - c4-judge

2023-10-20T17:46:30Z

GalloDaSballo marked the issue as satisfactory

#2 - c4-judge

2023-10-20T17:55:32Z

GalloDaSballo changed the severity to 2 (Med Risk)

#3 - c4-judge

2023-10-21T07:38:20Z

GalloDaSballo marked the issue as partial-50

#4 - c4-judge

2023-10-21T07:39:07Z

GalloDaSballo changed the severity to 3 (High Risk)

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter