Open code423n4 opened 1 year ago
bytes032 marked the issue as sufficient quality report
bytes032 marked the issue as primary issue
psytama (sponsor) confirmed
GalloDaSballo marked the issue as selected for report
I believe this is invalid, because it is a feature of the protocol.
The option is always fully cash secured, and no way to redeem the underlying bond. And here the option is perpetual, it is by design to last if the option is OTM. And premium should be paid as long as it is not exercised, it is not lock of fund (since the put writer sell the options by themselves).
And the dups are also talking about the designed feature. This is not vuln, but the intended behavior.
I believe this is invalid, because it is a feature of the protocol.
The option is always fully cash secured, and no way to redeem the underlying bond. And here the option is perpetual, it is by design to last if the option is OTM. And premium should be paid as long as it is not exercised, it is not lock of fund (since the put writer sell the options by themselves).
And the dups are also talking about the designed feature. This is not vuln, but the intended behavior.
What happens when so much premiums are paid that the contract runs out of funds?
Allowing till EOD for clarifying the above by @141345
Unless I receive further info, I'm keeping this as open
What happens when so much premiums are paid that the contract runs out of funds?
Yes, running out of funds is a problem, but it's on another level (protocol level). I think this issue seems more like feature improvement. As for the perpetual put option itself (product level), the mechanism is self-consistent, "perpetual premium" can be seen as designed feature (better to consider more situation, but not flawed).
The agreement of option counter parties is:
Here the term is, the buyer pay premium on and on, until settlement (forever premium if never hit strike price). The buyer (here is the protocol) need to make sure enough cash flow is generated in the long term. This agreement itself has no problem.
Some factory can rent some equipment customized for them, signs a lease with no expiry and agrees to pay forever.
But the situation that the factory going bankrupcy is possilbe, no money to pay, and the equipment is worthless to other people. That's not a bug of the original lease. But some situation nice to consider.
The lease term makes sense, it covers the situation if everyting goes as designed. Missing unexpected situation does not mean the lease term has loophole.
Back to this context, having no fund to pay is some problem on a higher level, the protocol itself has financial insolvency. When that happens, it's a question whether the protocol can continue to operate, not about the specific mechanism of the product.
That's why I think the designed behavior of "perpetual" is ok. Handle unexpected fund deficit is feature improvement.
The put options are the mechanism to hedge the risk of a depeg when the rDPX price drops, therefore the premium paid for funding those options should always continue (OTM should not be settled). If not, you will have rDPX that's not backed by anything which exposes dpxETH to depegging which will theoretically drop the price down to 75% ETH price. Paying these premiums is what allow the protocol to have a way to sell the rDPX for ETH when its price drops to maintain the dpxETH stability. This hedging will have a lot of value when rDPX drops as it reduces the depeg risk and of course it will have a cost (premiums) if the rDPX do not drop, and that's how hedging works, limiting the risk for a cost. I suppose this is the main idea behind the whole protocol's implementation.
With the information
It's legitimate to ask whether this is a design decision, however the very real consequences of this are that funding is paid for something that users wouldn't want to, leading me to believe that this can be viewed as a footgun that is causing a leak of value under reasonable circumnstances
For this reason, I believe the finding is valid and of medium severity
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L333 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L800 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L376
Vulnerability details
In the current implementation of
PerpetualAtlanticVault::settle
, the only way anoptionId
can be burnt is when the option is in-the-money. Note that at the time of bonding, a put option that is 25% out of the money is purchased by user. If the RDPX-ETH price is above this price, the option is rolled over to the next epoch and a new premium is again calculated inside thePerpetualAtlanticVault::calculateFunding
and added to thetotalFundingForEpoch
.Effectively, as long as the option is out of money, the funding cost continues to be deducted from core contract and passed to Atlantic vault LPs. There is no check if the underlying bond for which this put option is minted is redeemed or not.
Not completely sure if this is bug or feature of Perpetual Atlantic Puts but since the utility of these puts is to protect downside price movements of RDPX during bonding, such options should be retired once the underlying bond is redeemed by user. Paying out a premium on a perennial basis to Atlantic LP's does not make sense.
Impact
There are 2 implications:
optionStrikes[strike]
never reduces so long as the option continues to be OTM.Proof of Concept
Tools Used
Manual
Recommended Mitigation Steps
Consider settling
optionIds
that no longer have an underlying bonding. Put options for such bonds should expire and free up locked collateral in Atlantic Vaults.Assessed type
Other