Open code423n4 opened 1 year ago
bytes032 marked the issue as primary issue
bytes032 marked the issue as sufficient quality report
psytama (sponsor) confirmed
GalloDaSballo marked the issue as duplicate of #1496
GalloDaSballo changed the severity to QA (Quality Assurance)
GalloDaSballo marked the issue as grade-b
I believe the issue should be a valid Med since this would result in a loss of fund (premium payment) for the Option Writers. If the Option Buyer wants to opt out of paying the premium, he should've settled/forfeited his PUT options instead of pausing the protocol.
It would result in loss of funds but it's caused by the admin, which is:
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L796-L798
Vulnerability details
Impact
Since
PerpetualAtlanticVault.updateFundingPaymentPointer
is a public function and is independent ofRdpxV2Core
's pause state, if thePerpetualAtlanticVault.updateFundingPaymentPointer
function is called while theRdpxV2Core
is paused for a duration longer than an Epoch period, thePerpetualAtlanticVault.latestFundingPaymentPointer
becomes up-to-date. This forces theRdpxV2Core.provideFunding
function to miss payment for the previous Epoch since it relies onPerpetualAtlanticVault.latestFundingPaymentPointer
instead of its own, resulting in a loss of funds for option writers.Proof of Concept
Alice, the protocol admin, pauses the
RdpxV2Core
for a period longer than an Epoch.During this pause, the
PerpetualAtlanticVault.updateFundingPaymentPointer
function is freely called, updating thePerpetualAtlanticVault.latestFundingPaymentPointer
to the current Epoch.When the system is unpaused and
RdpxV2Core.provideFunding
is called for the current Epoch, it calculates funding based on the updatedPerpetualAtlanticVault.latestFundingPaymentPointer
, effectively skipping the payment for the previous Epoch.Option writers who were supposed to receive funding for the previous Epoch do not receive their payments, resulting in a loss of eligible funds.
Tools Used
Manual Review
Recommended Mitigation Steps
To mitigate this vulnerability, the
RdpxV2Core
contract should manage its ownlatestFundingPaymentPointer
rather than tracking thePerpetualAtlanticVault
'slatestFundingPaymentPointer
. This would ensure thatRdpxV2Core
can accurately calculate and provide funding even if the system was paused for an extended period.Assessed type
Other