Detailed description of the impact of this finding.
rdpxRequired value sets to 0 or faces Arithmetic overflow/underflow error for _rdpxBondId == 0 if bondDiscount value >= 50e8 resulting in wrong calculations of wethRequired and premium if putOptionsRequired is also True.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L1162-L1202
In Line no. 1162 If _rdpxBondId == 0 there is discount in the bond.
And formula to calculate rdpxRequired if _rdpxBondId == 0 is
rdpxRequired =
((RDPX_RATIO_PERCENTAGE - (bondDiscount / 2))
_amount
DEFAULT_PRECISION) /
(DEFAULT_PRECISION rdpxPrice 1e2);
RDPX_RATIO_PERCENTAGE = 25e8,
In Line no. 1167 _validate(bondDiscount < 100e8, 14);
so for bondDiscount value between >=50e8 to <100e8 rdpxRequired value can be 0 or can give arithmetic overflow/underflow error.
also In Line no. 1196 & 1197 because of wrong rdpxRequired value will wrongly calculate wethRequired and premium.
Tools Used
Manual review
Recommended Mitigation Steps
RDPX_RATIO_PERCENTAGE and ETH_RATIO_PERCENTAGE are 25 and 75 percent respectively so intead of taking this check _validate(bondDiscount < 100e8, 14); which is checking to keep bondDiscount < absolute 100% check should be applied relative to RDPX_RATIO_PERCENTAGE and ETH_RATIO_PERCENTAGE.
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L1162-L1202
Vulnerability details
Impact
Detailed description of the impact of this finding. rdpxRequired value sets to 0 or faces Arithmetic overflow/underflow error for _rdpxBondId == 0 if bondDiscount value >= 50e8 resulting in wrong calculations of wethRequired and premium if putOptionsRequired is also True.
Proof of Concept
Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L1162-L1202 In Line no. 1162 If _rdpxBondId == 0 there is discount in the bond. And formula to calculate rdpxRequired if _rdpxBondId == 0 is rdpxRequired = ((RDPX_RATIO_PERCENTAGE - (bondDiscount / 2)) _amount DEFAULT_PRECISION) / (DEFAULT_PRECISION rdpxPrice 1e2); RDPX_RATIO_PERCENTAGE = 25e8, In Line no. 1167 _validate(bondDiscount < 100e8, 14); so for bondDiscount value between >=50e8 to <100e8 rdpxRequired value can be 0 or can give arithmetic overflow/underflow error. also In Line no. 1196 & 1197 because of wrong rdpxRequired value will wrongly calculate wethRequired and premium.
Tools Used
Manual review
Recommended Mitigation Steps
RDPX_RATIO_PERCENTAGE and ETH_RATIO_PERCENTAGE are 25 and 75 percent respectively so intead of taking this check _validate(bondDiscount < 100e8, 14); which is checking to keep bondDiscount < absolute 100% check should be applied relative to RDPX_RATIO_PERCENTAGE and ETH_RATIO_PERCENTAGE.
Assessed type
Math