`rdpxBurnPercentage` and `rdpxFeePercentage` combined is not always 100 percent

[code423n4]

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L657-L666 https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L677-L679 https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L180-L199

Vulnerability details

Impact

More assets than necessary are being withdrawn from the treasury.

Proof of Concept

In Rdpx V2 Docs it is mentioned that 50% of the rDPX provided for bonding is burnt from the Treasury Reserve and another 50% is sent as emissions to veDPX holders. These percentages are variable and can be controlled by governance. As it is mentioned that these percentages are variable and controlled by governance and there are function called setRdpxBurnPercentage and setRdpxFeePercentage to change these percentages.

so rdpxBurnPercentage and rdpxFeePercentage combined is not always 100%.

But in _transfer function of RdpxV2Core contract it is assumed that it is always 100% and after burning and transferring fee the whole _rdpxAmount is being withdraw from the rdpxReserve.

But if only rdpxBurnPercentage and rdpxFeePercentage combined is only 80%, only 80% of _rdpxAmount should be withdrawn from rdpxReserve

Tools Used

Manual Review

Recommended Mitigation Steps

Instead of withdrawing 100% of _rdpxAmount from rdpxReserve always , only withdraw rdpxBurnPercentage + rdpxFeePercentage percentage of _rdpxAmount from rdpxReserve

Assessed type

Other

[c4-pre-sort]

bytes032 marked the issue as duplicate of #747

[c4-pre-sort]

bytes032 marked the issue as low quality report

[c4-pre-sort]

bytes032 marked the issue as sufficient quality report

[c4-judge]

GalloDaSballo changed the severity to QA (Quality Assurance)

[liveactionllama]

Per discussion with judge, adding grade labels on their behalf.