In the bond and bondWithDelegate, you can purchase Perpetual Atlantic PUT options if **putOptionsRequired=true**. However, the RdpxV2Core contract never approves the PerpetualAtlanticVault contract to spend any collateral tokens used to mint the options.
This will revert the bond and bondWithDelegate functions when trying to mint options.
Proof of Concept
The admin calls setPutOptionsRequired to true
Call bond or bondWithDelegate which in turn will call _purchaseOptions() which calls the purchase function inside of the PerpetualAtlanticVault contract.
The following line will revert since we do not have approval to transfer from the RdpxV2Core contract:
// Transfer premium from msg.sender to PerpetualAtlantics vault
collateralToken.safeTransferFrom(msg.sender, address(this), premium);
Tools Used
Manual Review.
Recommended Mitigation Steps
Call the approve function to allow the PerpetualAtlanticVault contract to transfer from the RdpxV2Core contract like so:
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L919-L922 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L855-L858 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L471-L487 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L288-L289
Vulnerability details
Impact
In the
bond
andbondWithDelegate
, you can purchase Perpetual Atlantic PUT options if **putOptionsRequired=true
**. However, theRdpxV2Core
contract never approves thePerpetualAtlanticVault
contract to spend any collateral tokens used to mint the options.This will revert the
bond
andbondWithDelegate
functions when trying to mint options.Proof of Concept
setPutOptionsRequired
totrue
bond
orbondWithDelegate
which in turn will call_purchaseOptions()
which calls thepurchase
function inside of thePerpetualAtlanticVault
contract.RdpxV2Core
contract:Tools Used
Manual Review.
Recommended Mitigation Steps
Call the
approve
function to allow thePerpetualAtlanticVault
contract to transfer from theRdpxV2Core
contract like so:Assessed type
Token-Transfer