Dopex - niki's results

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L1058

Vulnerability details

Impact

Always returning true even if the DpxethPrice is price is not above the upper peg

Proof of Concept

the Dpxeth is 18 decimals

Tools Used

Manual

Recommended Mitigation Steps

• _validate(getDpxEthPrice() > 1e18, 10);

Assessed type

Decimal

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L282-L285 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L118-L124

Vulnerability details

Impact

First depositor can break minting of shares

1. Minting 1 wei shares
2. Directly transferring assets into the contract to inflate the PerpetualAtlanticVaultLp - totalSupply to be increased
3. Subsequent depositors deposit assets but are minted 0 shares due to precision loss

Proof of Concept

https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L283

Upon first deposit, the supply will be 0. The attacker will transact with an amount = 1 wei to mint 1 wei of shares. Then the attacker will transfer some value of asset directly to the contract. For this example, the attacker transfers 10,000 tokens.

Next, a subsequent depositor attempts to mint shares with 5,000 tokens.

shares = 5000 tokens * 1 wei / 10,000 tokens = 0 due to precision loss.

it will return 0 the converToShares and it it will revert the function

The function will revert every time, except if the second depositor deposit more than the transferred tokens that first depositor transfer to the contract

Tools Used

Manual

Recommended Mitigation Steps

Mint a certain number of shares and transfer them to address(0) within the constructor.

Assessed type

Token-Transfer