search

code-423n4 / 2023-08-dopex-findings

3 stars 3 forks source link

RdpxV2Core.provideFunding can be forced to skip paying if paused for a long period #1430

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L796-L798

Vulnerability details

Impact

Since PerpetualAtlanticVault.updateFundingPaymentPointer is a public function and is independent of RdpxV2Core's pause state, if the PerpetualAtlanticVault.updateFundingPaymentPointer function is called while the RdpxV2Core is paused for a duration longer than an Epoch period, the PerpetualAtlanticVault.latestFundingPaymentPointer becomes up-to-date. This forces the RdpxV2Core.provideFunding function to miss payment for the previous Epoch since it relies on PerpetualAtlanticVault.latestFundingPaymentPointer instead of its own, resulting in a loss of funds for option writers.

Proof of Concept

  1. Alice, the protocol admin, pauses the RdpxV2Core for a period longer than an Epoch.

  2. During this pause, the PerpetualAtlanticVault.updateFundingPaymentPointer function is freely called, updating the PerpetualAtlanticVault.latestFundingPaymentPointer to the current Epoch.

  3. When the system is unpaused and RdpxV2Core.provideFunding is called for the current Epoch, it calculates funding based on the updated PerpetualAtlanticVault.latestFundingPaymentPointer, effectively skipping the payment for the previous Epoch.

  4. Option writers who were supposed to receive funding for the previous Epoch do not receive their payments, resulting in a loss of eligible funds.

Tools Used

Manual Review

Recommended Mitigation Steps

To mitigate this vulnerability, the RdpxV2Core contract should manage its own latestFundingPaymentPointer rather than tracking the PerpetualAtlanticVault's latestFundingPaymentPointer. This would ensure that RdpxV2Core can accurately calculate and provide funding even if the system was paused for an extended period.

Assessed type

Other

c4-pre-sort commented 1 year ago

bytes032 marked the issue as primary issue

c4-pre-sort commented 1 year ago

bytes032 marked the issue as sufficient quality report

c4-sponsor commented 12 months ago

psytama (sponsor) confirmed

c4-judge commented 11 months ago

GalloDaSballo marked the issue as duplicate of #1496

c4-judge commented 11 months ago

GalloDaSballo changed the severity to QA (Quality Assurance)

c4-judge commented 11 months ago

GalloDaSballo marked the issue as grade-b

hungdoo commented 11 months ago

I believe the issue should be a valid Med since this would result in a loss of fund (premium payment) for the Option Writers. If the Option Buyer wants to opt out of paying the premium, he should've settled/forfeited his PUT options instead of pausing the protocol.

GalloDaSballo commented 11 months ago

It would result in loss of funds but it's caused by the admin, which is: