No bond discount above 50% can be given due to an underflowing calculation

[code423n4]

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L1169-L1173

Vulnerability details

Impact

No bonds are going to be able to be bought until funds get withdrawn from the reserves by the admin.

Proof of Concept

The protocol has a discount system, that gives bonds to users at lower prices based on how much funds there are in the protocol's reserve contract. The issue arises due to a calculation underflowing when the discount factor becomes larger than 50e8 or 50%.

// @audit-issue no discount over 50e8 is going to work out
      rdpxRequired =
        ((RDPX_RATIO_PERCENTAGE - (bondDiscount / 2)) *
          _amount *
          DEFAULT_PRECISION) /
        (DEFAULT_PRECISION * rdpxPrice * 1e2);

the above calculation will always underflow and revert due to RDPX_RATIO_PERCENTAGE - (bondDiscount / 2). RDPX_RATIO_PERCENTAGE is a contact, that is 25e8 and (bondDiscount / 2) is always going to be a bigger value than the rDPX ratio if the discount factor is above 50%.

With a bond discount factor of 1e5 the amount of tokens the reserve needs to hold to have this percent of discount is 250000. So in the case of it having such an amount no one can buy any bonds until the admin intervenes and withdraws a portion of it.

Tools Used

Manual review, Foundry

Recommended Mitigation Steps

Consider either making the discount get applied proportionally to each of the two tokens so that rDPX receives 25% of the discount and WETH receives 75%, or making the maximum possible discount be 50%. Either of those solutions will mitigate the issue at hand.

Assessed type

Under/Overflow

[c4-pre-sort]

bytes032 marked the issue as duplicate of #245

[c4-pre-sort]

bytes032 marked the issue as sufficient quality report

[c4-pre-sort]

bytes032 marked the issue as duplicate of #2084

[c4-judge]

GalloDaSballo changed the severity to QA (Quality Assurance)