Closed code423n4 closed 12 months ago
bytes032 marked the issue as duplicate of #1196
bytes032 marked the issue as duplicate of #747
bytes032 marked the issue as sufficient quality report
GalloDaSballo changed the severity to QA (Quality Assurance)
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L175-L199 https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L652-L666
Vulnerability details
Impact
When updating the values of the variables
rdpxBurnPercentage
andrdpxFeePercentage
, their respective setter function does not check that the sum of those to variables is equal to1e10
after the new values are set, this can result in bad RPDX balance accounting if the sum is less than1e10
and if it is greater it will lead to either burning too much RPDX fund or sending to much RPDX fees than intended.Proof of Concept
The values of
rdpxBurnPercentage
andrdpxFeePercentage
are used to handle the RPDX token amount trasnferred from the user for bonding, as both variables represent a % of the amount their sum should be equal 100% or in our case1e10
.The issue is that in both the setter functions for this variables there is no check to ensure that their sum will be equal to
1e10
:This can cause problems as if one of the variables is changed without changing the other as well or if when changing them their sum is different from
1e10
, some RPDX funds transferred by the user may not accounted for or it could lead to either burning too much RPDX fund or sending a greater amount as fees than what was intended.This happens because of the following lines of code :
As you can see when
_rdpxAmount
is pulled from the user a rdpxBurnPercentage % of it is burned (currently 50%) and rdpxFeePercentage % is send as fees.But if at some point the sum of
rdpxBurnPercentage
andrdpxFeePercentage
is not equal to1e10
(100%) then the contract will either not use all the RPDX funds send by the user (if the sum is less than1e10
) which will stay in the contract but will not added to the variables tracking the RPDX token balance, or if the sum is greater than1e10
the contract will have to pull tokens from its internal RPDX balance to handle additional RPDX amount to be burned or transferred as fees, because in this case the user amount will not be sufficient to cover both the burning operation and fees transfer.In both cases this issue will lead to having a bad accounting of the RPDX tokens balance inside the contract and even a loss of RPDX tokens.
Tools Used
Manual review
Recommended Mitigation Steps
To avoid this issue, i recommend to create a single setter function for updating both
rdpxBurnPercentage
andrdpxFeePercentage
variables and add a check inside it to verify that their sum is always equal to1e10
.Assessed type
Context