Back to okolicodes's contests

Dopex - okolicodes's results

A rebate system for option writers in the Dopex Protocol.

General Information

Platform: Code4rena

Start Date: 21/08/2023

Pot Size: $125,000 USDC

Total HM: 26

Participants: 189

Period: 16 days

Judge: GalloDaSballo

Total Solo HM: 3

Id: 278

League: ETH

Dopex

Findings Distribution

Researcher Performance

Rank: 112/189

Findings: 1

Award: $46.25

🌟 Selected for report: 0

🚀 Solo Findings: 0

External Links

Code4rena Contest PageGithub Contest RepositoryGithub Findings RepositoryDopex

Findings Information

🌟 Selected for report: 0xWagmi

Also found by: 836541, Bauchibred, GangsOfBrahmin, Hama, IceBear, Inspecktor, Matin, MohammedRizwan, catellatech, erebus, lsaudit, niki, okolicodes, ravikiranweb3, tapir, vangrim, zaevlad

Awards

46.2486 USDC - $46.25

Labels

bug
2 (Med Risk)
satisfactory
sufficient quality report
duplicate-863

External Links

Link to GitHub issue

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L118C1-L124C1plain=1#L118

Vulnerability details

Impact

Vault deposits can be front-run and user funds stolen with ERC4626 inflation attack.

Proof of Concept

Attack scenario:

A hacker back-runs the transaction of LMPVault ERC4626 pool creation.

  1. The hacker mints for themself one share: deposit(1). Thus, totalAsset()==1, totalSupply()==1.
  2. The hacker front-runs the deposit of the victim who wants to deposit 20,000 tokens (20,000.000000).
  3. The hacker inflates the denominator right in front of the victim: asset.transfer(20_000e6). Now totalAsset()==20_000e6 + 1, totalSupply()==1.
  4. Next, the victim's tx takes place. The victim gets 1 * 20_000e6 / (20_000e6 + 1) == 0 shares. The victim gets zero shares.
  5. The hacker burns their share and gets all the money.

Take a look at this deposit function https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L118C1-L124C1 in this part of the deposit function we can see that the require statement that checks shares and it calls the previewDeposit function https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L123C3-L123C68 the previewDeposit then returns the converttoshares function as well: https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L269 Then the convertToShares returns: https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L282C1-L282C1

Reference: https://mixbytes.io/blog/overview-of-the-inflation-attack H01 of this audit report: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/audits/2022-10-ERC4626.pdf

Tools Used

Manual Review + H20

Implement the mitigation strategies here: https://blog.openzeppelin.com/a-novel-defense-against-erc4626-inflation-attacks

Assessed type

ERC4626

#0 - bytes032

2023-09-12T12:52:21Z

LQ because of front-running on Arb

#1 - c4-pre-sort

2023-09-15T08:28:15Z

bytes032 marked the issue as duplicate of #863

#2 - c4-pre-sort

2023-09-15T08:28:20Z

bytes032 marked the issue as sufficient quality report

#3 - c4-judge

2023-10-18T12:50:16Z

GalloDaSballo marked the issue as satisfactory

AuditHub

A portfolio for auditors, a security profile for protocols, a hub for web3 security.

Built bymalatrax © 2024

Auditors

Browse

Contests

Browse

Get in touch

ContactTwitter