rdpxRequired value sets to 0 or faces Arithmetic overflow/underflow error.

[code423n4]

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L1162-L1202

Vulnerability details

Impact

Detailed description of the impact of this finding. rdpxRequired value sets to 0 or faces Arithmetic overflow/underflow error for _rdpxBondId == 0 if bondDiscount value >= 50e8 resulting in wrong calculations of wethRequired and premium if putOptionsRequired is also True.

Proof of Concept

Provide direct links to all referenced code in GitHub. Add screenshots, logs, or any other relevant proof that illustrates the concept.

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L1162-L1202 In Line no. 1162 If _rdpxBondId == 0 there is discount in the bond. And formula to calculate rdpxRequired if _rdpxBondId == 0 is rdpxRequired = ((RDPX_RATIO_PERCENTAGE - (bondDiscount / 2)) _amount DEFAULT_PRECISION) / (DEFAULT_PRECISION rdpxPrice 1e2); RDPX_RATIO_PERCENTAGE = 25e8, In Line no. 1167 _validate(bondDiscount < 100e8, 14); so for bondDiscount value between >=50e8 to <100e8 rdpxRequired value can be 0 or can give arithmetic overflow/underflow error. also In Line no. 1196 & 1197 because of wrong rdpxRequired value will wrongly calculate wethRequired and premium.

Tools Used

Manual review

Recommended Mitigation Steps

RDPX_RATIO_PERCENTAGE and ETH_RATIO_PERCENTAGE are 25 and 75 percent respectively so intead of taking this check _validate(bondDiscount < 100e8, 14); which is checking to keep bondDiscount < absolute 100% check should be applied relative to RDPX_RATIO_PERCENTAGE and ETH_RATIO_PERCENTAGE.

Assessed type

Math

[c4-pre-sort]

bytes032 marked the issue as duplicate of #245

[c4-pre-sort]

bytes032 marked the issue as low quality report

[c4-pre-sort]

bytes032 marked the issue as duplicate of #2084

[c4-judge]

GalloDaSballo changed the severity to QA (Quality Assurance)