search

code-423n4 / 2023-08-dopex-findings

3 stars 3 forks source link

Lack of access control in Function updateFunding makes it vulnerable to loss of funds. #18

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/0ea4387a4851cd6c8811dfb61da95a677f3f63ae/contracts/perp-vault/PerpetualAtlanticVault.sol#L502

Vulnerability details

Impact

Lack of access control in function updateFunding leads to loss of funds.

Attackers can exploit this by gaining control of the perpetualAtlanticVaultLP through phishing or social engineering. The attacker then calls Function updateFunding. Function updateFunding transfers the collateral and proceeds to perpetualAtlanticVaultLP. Finally, the Attackers transfer the funds from perpetualAtlanticVaultLP to their address. This is because they are no checks in place, leading to loss of funds.

Proof of Concept

function updateFunding() public { updateFundingPaymentPointer(); uint256 currentFundingRate = fundingRates[latestFundingPaymentPointer]; uint256 startTime = lastUpdateTime == 0 ? (nextFundingPaymentTimestamp() - fundingDuration) : lastUpdateTime; lastUpdateTime = block.timestamp;

collateralToken.safeTransfer(
  addresses.perpetualAtlanticVaultLP,
  (currentFundingRate * (block.timestamp - startTime)) / 1e18
);

IPerpetualAtlanticVaultLP(addresses.perpetualAtlanticVaultLP).addProceeds(
  (currentFundingRate * (block.timestamp - startTime)) / 1e18
);

emit FundingPaid(
  msg.sender,
  ((currentFundingRate * (block.timestamp - startTime)) / 1e18),
  latestFundingPaymentPointer
);

}

Tools Used

Manual Audit

Recommended Mitigation Steps

Implement proper access control checks to prevent attackers from calling the function and stealing funds.

function updateFunding(address Admin) public { //Access control check require(msg.sender == Admin, "Unauthorized");

updateFundingPaymentPointer();
uint256 currentFundingRate = fundingRates[latestFundingPaymentPointer];
uint256 startTime = lastUpdateTime == 0
  ? (nextFundingPaymentTimestamp() - fundingDuration)
  : lastUpdateTime;
lastUpdateTime = block.timestamp;

collateralToken.safeTransfer(
  addresses.perpetualAtlanticVaultLP,
  (currentFundingRate * (block.timestamp - startTime)) / 1e18
);

IPerpetualAtlanticVaultLP(addresses.perpetualAtlanticVaultLP).addProceeds(
  (currentFundingRate * (block.timestamp - startTime)) / 1e18
);

emit FundingPaid(
  msg.sender,
  ((currentFundingRate * (block.timestamp - startTime)) / 1e18),
  latestFundingPaymentPointer
);

}

Assessed type

Access Control

c4-pre-sort commented 1 year ago

bytes032 marked the issue as low quality report

bytes032 commented 1 year ago

Invalid

c4-judge commented 1 year ago

GalloDaSballo marked the issue as unsatisfactory: Invalid