code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L145-L175

Vulnerability details

Impact

PerpetualAtlanticVaultLP depositor can avoid losses by redeeminf before settle is called

Proof of Concept

PerpetualAtlanticVaultLP users deposit into the contract in order to receive funding payment as yield. When optin is exercised, that means that PerpetualAtlanticVaultLP lost funds. Then vault pays option and receives rdpx.

In order to exercise ITM options, PerpetualAtlanticVault.settle is called. This function processes several options a time. During the process it notifies PerpetualAtlanticVaultLP about loss and sends rdpx from option buyer. In this moment it means that exchange rate of PerpetualAtlanticVaultLP has decreased and vault has lost some amount of funds.

In case if arbitrum has frontrunning ability, i would simply say, that attacker can frontrun settle call and withdraw funds. But even without frontrunning it's possible to detect correct time to withdraw. Anyone can detect strike prices and amount of options for them. This allows depositor to withdraw from vault, when market price has reached strike price with big amount of options. This will allow him to get better exchange rate. After options will be settled(repaid), then he can deposit again. Such strategy can be used to earn yields, but avoid losses.

Tools Used

VsCode

Recommended Mitigation Steps

You can think about mechanism that doesn't allow to withdraw at same epoch.

Assessed type

Error