c4-pre-sort
commented
1 year ago bytes032 marked the issue as duplicate of #1883
Open code423n4 opened 1 year ago
c4-pre-sort
commented
1 year ago bytes032 marked the issue as duplicate of #1883
c4-judge
commented
1 year ago GalloDaSballo changed the severity to QA (Quality Assurance)
c4-judge
commented
1 year ago GalloDaSballo marked the issue as grade-a
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L819-L885
Vulnerability details
Impact
The function
bondWithDelegateis used to bond rdpx tokens to WETH tokens provided by delegators. The function takes an array of amounts and delegation ids, and loops over the arrays and takes the amount form each delegate id sent.The only validation done is that each amount is non-zero. When a user bonds this way, part of the bond is staked on the user's account, and the rest is staked on the delegator's account. The user can choose to set the value of
amount[]as low as possible, and the transaction will go through as long as the amount is non zero.So if a malicious user takes a bunch of delegations and match small amounts for each of them, the delegators will get small amount of the bonds. These amounts can be so small that it isnt worth it for the delegators to redeem them on expiry due to gas costs. The attacker can also choose to match the same delegation multiple times in small amounts, and this also give rise to the same scenario.
The attacker gets an inherent advantage since their actions are batched, but the delegators have to redeem their bonds one at a time, and so will have to pay far higher gas costs. This can be used to grief the delegators.
Proof of Concept
This issue arises from there being no minimum amount to match delegations. This can be seen in the following snippet.
Tools Used
Manual Review
Recommended Mitigation Steps
Specify a minimum
_amounts[i]value so that the delegators are not griefed by gas costs.Assessed type
Other