If duration decreases, then fundingPointer goes up repeatedly in updateFundingPaymentPointer which involves a lot of gas heavy computations such as transfer and external contract calls. Thus the function can revert due to OOG, causing all functionality to fail including purchase and settle.
If duration increases, then fundingPointer stays the same and nextFundingTimestamp goes up as it is proportional to duration. As a result, funding calculations cause premiums to go up since time to expiry must also increase, and if the increase is too large then DoS can result due to not having enough tokens.
The more time that has passed since genesis (the larger the fundingPaymentPointer), the greater the risks associated with changing the duration.
Proof of Concept
Duration is currently 7 days and updated to 1 day. The fundingPaymentPointer was originally 10. It must now be updated to 70. 60 iterations of the while loop occur, which causes OOG due to repeated transfer and external function calls.
Duration is currently 1 day and updated to 7 days. The fundingPaymentPointer was originally 10 and stays at 10. But now when calculating funding, the time passed is 7 times what it originally was and so 6 times the total amount of funding ever paid is due at once, leading to likely DoS due to not having enough tokens or at least extremely high premiums
Tools Used
Manual review
Recommended Mitigation Steps
Do not allow changes in duration, and if it is changed, ensure it is within some legal bounds
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L563 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L462
Vulnerability details
Impact
If duration decreases, then fundingPointer goes up repeatedly in updateFundingPaymentPointer which involves a lot of gas heavy computations such as transfer and external contract calls. Thus the function can revert due to OOG, causing all functionality to fail including purchase and settle.
If duration increases, then fundingPointer stays the same and nextFundingTimestamp goes up as it is proportional to duration. As a result, funding calculations cause premiums to go up since time to expiry must also increase, and if the increase is too large then DoS can result due to not having enough tokens.
The more time that has passed since genesis (the larger the fundingPaymentPointer), the greater the risks associated with changing the duration.
Proof of Concept
Duration is currently 7 days and updated to 1 day. The fundingPaymentPointer was originally 10. It must now be updated to 70. 60 iterations of the while loop occur, which causes OOG due to repeated transfer and external function calls.
Duration is currently 1 day and updated to 7 days. The fundingPaymentPointer was originally 10 and stays at 10. But now when calculating funding, the time passed is 7 times what it originally was and so 6 times the total amount of funding ever paid is due at once, leading to likely DoS due to not having enough tokens or at least extremely high premiums
Tools Used
Manual review
Recommended Mitigation Steps
Do not allow changes in duration, and if it is changed, ensure it is within some legal bounds
Assessed type
DoS