search

code-423n4 / 2023-08-dopex-findings

3 stars 3 forks source link

MEV bot can bond with delegate to consume the delegated WETH and make delegator not able to withdraw when contract is unpaused #1118

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L144 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L899 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L941

Vulnerability details

Impact

MEV bot can bond with delegate to consume the delegated WETH and make delegator not able to withdraw when contract is unpaused

Proof of Concept

according to the contest docs:

https://github.com/code-423n4/2023-08-dopex/tree/main

  • Check all that apply (e.g. timelock, NFT, AMM, ERC20, rollups, etc.): Timelock function, NFT, AMM, ERC-20 Token

the protocol is expected to use timelock, but the protocol does not implemented time lock, any governance toggled parameter / state is immediately applied to user and contract of the potocol

one of the side effect is outlined below

the admin can pause the contract,

and when contract are paused, calling bond / bondWithdDelegate during the pause state,

transaction revert in this line of code

during the pause state, the delegator that previously call addToDelegate cannot actually call withdraw as well

but when the contract is unpause, the MEV can fastly and carefully call bond with delegate with specific delegate id and leave no time for the delegator to withdraw their fund

even they want to withdraw their delegated fund and does not want their fund to be used during delegation,

they cannot because the contract is paused and when contract is unpaused, MEV bot is always faster

Tools Used

Manual Review

Recommended Mitigation Steps

Does not count the paused time towards expiration and leave sufficient timelock for user to withdraw their delegated WETH when the contract is unpaused

Assessed type

Timing

c4-pre-sort commented 1 year ago

bytes032 marked the issue as low quality report

bytes032 commented 1 year ago

LQ because of front-running on Arb

c4-judge commented 1 year ago

GalloDaSballo changed the severity to QA (Quality Assurance)