No bonds are going to be able to be bought until funds get withdrawn from the reserves by the admin.
Proof of Concept
The protocol has a discount system, that gives bonds to users at lower prices based on how much funds there are in the protocol's reserve contract. The issue arises due to a calculation underflowing when the discount factor becomes larger than 50e8 or 50%.
// @audit-issue no discount over 50e8 is going to work out
rdpxRequired =
((RDPX_RATIO_PERCENTAGE - (bondDiscount / 2)) *
_amount *
DEFAULT_PRECISION) /
(DEFAULT_PRECISION * rdpxPrice * 1e2);
the above calculation will always underflow and revert due to RDPX_RATIO_PERCENTAGE - (bondDiscount / 2). RDPX_RATIO_PERCENTAGE is a contact, that is 25e8 and (bondDiscount / 2) is always going to be a bigger value than the rDPX ratio if the discount factor is above 50%.
With a bond discount factor of 1e5 the amount of tokens the reserve needs to hold to have this percent of discount is 250000. So in the case of it having such an amount no one can buy any bonds until the admin intervenes and withdraws a portion of it.
Tools Used
Manual review, Foundry
Recommended Mitigation Steps
Consider either making the discount get applied proportionally to each of the two tokens so that rDPX receives 25% of the discount and WETH receives 75%, or making the maximum possible discount be 50%. Either of those solutions will mitigate the issue at hand.
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L1169-L1173
Vulnerability details
Impact
No bonds are going to be able to be bought until funds get withdrawn from the reserves by the admin.
Proof of Concept
The protocol has a discount system, that gives bonds to users at lower prices based on how much funds there are in the protocol's reserve contract. The issue arises due to a calculation underflowing when the discount factor becomes larger than
50e8
or 50%.the above calculation will always underflow and revert due to
RDPX_RATIO_PERCENTAGE - (bondDiscount / 2)
.RDPX_RATIO_PERCENTAGE
is a contact, that is25e8
and(bondDiscount / 2)
is always going to be a bigger value than the rDPX ratio if the discount factor is above 50%.With a bond discount factor of
1e5
the amount of tokens the reserve needs to hold to have this percent of discount is 250000. So in the case of it having such an amount no one can buy any bonds until the admin intervenes and withdraws a portion of it.Tools Used
Manual review, Foundry
Recommended Mitigation Steps
Consider either making the discount get applied proportionally to each of the two tokens so that rDPX receives 25% of the discount and WETH receives 75%, or making the maximum possible discount be 50%. Either of those solutions will mitigate the issue at hand.
Assessed type
Under/Overflow