Closed code423n4 closed 11 months ago
bytes032 marked the issue as duplicate of #2186
bytes032 marked the issue as sufficient quality report
Main because of POC
GalloDaSballo marked the issue as selected for report
GalloDaSballo marked issue #1788 as primary and marked this issue as a duplicate of 1788
GalloDaSballo changed the severity to 2 (Med Risk)
GalloDaSballo marked the issue as satisfactory
GalloDaSballo changed the severity to 3 (High Risk)
GalloDaSballo marked the issue as partial-50
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L975-L990
Vulnerability details
Impact
Function
RdpxV2Core#withdraw()
lets delegate owners withdraw their unused WETH. However, withdrawn amount is not deducted fromtotalWethDelegated
, which causes WETH asset reserve tracked improperly. The impacts could be:sync
gets reverted whentotalWethDelegated
is greater than token balancesync()
function, other logics get affected: a.lowerDepeg
could get reverted because of underflowed at linereserveAsset[reservesIndex["WETH"]].tokenBalance -= _wethAmount;
b. functionprovideFunding
could get reverted because of underflowed ...So far, many functions would get DoS
Proof of Concept
Tools Used
Foundry, Manual review
Recommended Mitigation Steps
Add
totalWethDelegated -= totalWethDelegated += _amount;
to functionwithdraw
Assessed type
Other