Closed code423n4 closed 12 months ago
bytes032 marked the issue as duplicate of #747
bytes032 marked the issue as low quality report
bytes032 marked the issue as sufficient quality report
GalloDaSballo changed the severity to QA (Quality Assurance)
Per discussion with judge, adding grade labels on their behalf.
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L657-L666 https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L677-L679 https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L180-L199
Vulnerability details
Impact
More assets than necessary are being withdrawn from the treasury.
Proof of Concept
In Rdpx V2 Docs it is mentioned that
50% of the rDPX provided for bonding is burnt from the Treasury Reserve and another 50% is sent as emissions to veDPX holders. These percentages are variable and can be controlled by governance.
As it is mentioned that these percentages are variable and controlled by governance and there are function calledsetRdpxBurnPercentage
andsetRdpxFeePercentage
to change these percentages.so
rdpxBurnPercentage
andrdpxFeePercentage
combined is not always100%
.But in
_transfer
function ofRdpxV2Core
contract it is assumed that it is always100%
and after burning and transferring fee the whole_rdpxAmount
is being withdraw from therdpxReserve
.But if only
rdpxBurnPercentage
andrdpxFeePercentage
combined is only80%
, only 80% of_rdpxAmount
should be withdrawn fromrdpxReserve
Tools Used
Manual Review
Recommended Mitigation Steps
Instead of withdrawing 100% of
_rdpxAmount
fromrdpxReserve
always , only withdrawrdpxBurnPercentage + rdpxFeePercentage
percentage of_rdpxAmount
fromrdpxReserve
Assessed type
Other