No mechanism to settle out-of-money put options even after Bond receipt token is redeemed.

[code423n4]

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L333 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L800 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L376

Vulnerability details

In the current implementation of PerpetualAtlanticVault::settle, the only way an optionId can be burnt is when the option is in-the-money. Note that at the time of bonding, a put option that is 25% out of the money is purchased by user. If the RDPX-ETH price is above this price, the option is rolled over to the next epoch and a new premium is again calculated inside the PerpetualAtlanticVault::calculateFunding and added to the totalFundingForEpoch.

Effectively, as long as the option is out of money, the funding cost continues to be deducted from core contract and passed to Atlantic vault LPs. There is no check if the underlying bond for which this put option is minted is redeemed or not.

Not completely sure if this is bug or feature of Perpetual Atlantic Puts but since the utility of these puts is to protect downside price movements of RDPX during bonding, such options should be retired once the underlying bond is redeemed by user. Paying out a premium on a perennial basis to Atlantic LP's does not make sense.

Impact

There are 2 implications:

1. Atlantic vault LPs collateral will be locked so long as option is out of money. This is because optionStrikes[strike] never reduces so long as the option continues to be OTM.
2. Core contract continues to pay out funding costs for OTM options that cannot be settled.

Proof of Concept

Tools Used

Manual

Recommended Mitigation Steps

Consider settling optionIds that no longer have an underlying bonding. Put options for such bonds should expire and free up locked collateral in Atlantic Vaults.

Assessed type

Other

[c4-pre-sort]

bytes032 marked the issue as sufficient quality report

[c4-pre-sort]

bytes032 marked the issue as primary issue

[c4-sponsor]

psytama (sponsor) confirmed

[c4-judge]

GalloDaSballo marked the issue as selected for report

[141345]

I believe this is invalid, because it is a feature of the protocol.

The option is always fully cash secured, and no way to redeem the underlying bond. And here the option is perpetual, it is by design to last if the option is OTM. And premium should be paid as long as it is not exercised, it is not lock of fund (since the put writer sell the options by themselves).

And the dups are also talking about the designed feature. This is not vuln, but the intended behavior.

[GalloDaSballo]

I believe this is invalid, because it is a feature of the protocol.

The option is always fully cash secured, and no way to redeem the underlying bond. And here the option is perpetual, it is by design to last if the option is OTM. And premium should be paid as long as it is not exercised, it is not lock of fund (since the put writer sell the options by themselves).

And the dups are also talking about the designed feature. This is not vuln, but the intended behavior.

What happens when so much premiums are paid that the contract runs out of funds?

[GalloDaSballo]

Allowing till EOD for clarifying the above by @141345

Unless I receive further info, I'm keeping this as open

[141345]

What happens when so much premiums are paid that the contract runs out of funds?

Yes, running out of funds is a problem, but it's on another level (protocol level). I think this issue seems more like feature improvement. As for the perpetual put option itself (product level), the mechanism is self-consistent, "perpetual premium" can be seen as designed feature (better to consider more situation, but not flawed).

option agreement

The agreement of option counter parties is:

• buyer: pay premium
• seller: trade at the strike price

Here the term is, the buyer pay premium on and on, until settlement (forever premium if never hit strike price). The buyer (here is the protocol) need to make sure enough cash flow is generated in the long term. This agreement itself has no problem.

An analogy

Some factory can rent some equipment customized for them, signs a lease with no expiry and agrees to pay forever.

But the situation that the factory going bankrupcy is possilbe, no money to pay, and the equipment is worthless to other people. That's not a bug of the original lease. But some situation nice to consider.

The lease term makes sense, it covers the situation if everyting goes as designed. Missing unexpected situation does not mean the lease term has loophole.

Summary

Back to this context, having no fund to pay is some problem on a higher level, the protocol itself has financial insolvency. When that happens, it's a question whether the protocol can continue to operate, not about the specific mechanism of the product.

That's why I think the designed behavior of "perpetual" is ok. Handle unexpected fund deficit is feature improvement.

[ubermensch3dot0]

The put options are the mechanism to hedge the risk of a depeg when the rDPX price drops, therefore the premium paid for funding those options should always continue (OTM should not be settled). If not, you will have rDPX that's not backed by anything which exposes dpxETH to depegging which will theoretically drop the price down to 75% ETH price. Paying these premiums is what allow the protocol to have a way to sell the rDPX for ETH when its price drops to maintain the dpxETH stability. This hedging will have a lot of value when rDPX drops as it reduces the depeg risk and of course it will have a cost (premiums) if the rDPX do not drop, and that's how hedging works, limiting the risk for a cost. I suppose this is the main idea behind the whole protocol's implementation.

[GalloDaSballo]

With the information

• The notion of forfeiting was not made up by the wardens but was mentioned in the provided docs: https://dopex.notion.site/rDPX-V2-RI-b45b5b402af54bcab758d62fb7c69cb4#:~:text=(when%20the%20core%20contract%20buys%20options%20collateral%20is%20locked%20until%20the%20Core%20Contract%20settles%20or%20forfeits%20options)
• The protocol can run into a scenario in which it pays for things that should be deprecated / are irrational, which requires a redeployment

It's legitimate to ask whether this is a design decision, however the very real consequences of this are that funding is paid for something that users wouldn't want to, leading me to believe that this can be viewed as a footgun that is causing a leak of value under reasonable circumnstances

For this reason, I believe the finding is valid and of medium severity