Lines of code
<https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L975-L990>
<https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L1001-L1003>
The sync function of the RdpxV2Core contract is critical for ensuring that the cached balances of the tokens in the contract are up to date. For example, all of the AMO logic involves sending tokens directly to the RdpxV2Core contract, meaning thereβs no function which is used to both transfer the tokens and update the token balances accordingly. This sync function is therefore used to ensure that the token balances are up to date following the token transfers, allowing the RdpxV2Core contract to function smoothly.
The issue is that an attacker can trivially DOS this sync function by making it effectively always revert, which will in turn brick the entire system. Among other issues, it means that any of the Uniswap V2 AMO actions will not be able to update the RdpxV2Core contract state - and the Uniswap V3 AMO actions will always revert, as they call this sync function directly.
Consider how the sync function is implemented:
function sync() external {
for (uint256 i = 1; i < reserveAsset.length; i++) {
uint256 balance = IERC20WithBurn(reserveAsset[i].tokenAddress).balanceOf(
address(this)
);
if (weth == reserveAsset[i].tokenAddress) {
balance = balance - totalWethDelegated;
}
reserveAsset[i].tokenBalance = balance;
}
emit LogSync();
}
Importantly notice that when the reserve asset being updated is WETH, the balance is calculated as balance = balance - totalWethDelegated;. The issue with the current implementation is that itβs trivial to force totalWethDelegated to be greater than balance, causing this subtraction to underflow and the function to revert. This attack can be done in the following way:
Following this attack, totalWethDelegated will be significantly larger than the balance of WETH in the RdpxV2Core contract, and so the subtraction in the sync function will always revert.
Manual review
Update the withdraw function of the RdpxV2Core contract so that it properly decrements totalWethDelegated.
DoS
The text was updated successfully, but these errors were encountered:
All reactions