Closed code423n4 closed 10 months ago
The peg stability module is part of the [Core Contract](https://www.notion.so/rDPX-V2-RI-b45b5b402af54bcab758d62fb7c69cb4?pvs=21) that ensures that the peg of dpxETH to ETH on the curve pool is maintained. It is entirely controlled via the [Core Contract](https://www.notion.so/rDPX-V2-RI-b45b5b402af54bcab758d62fb7c69cb4?pvs=21) managers and It encompasses 3 functions:
https://dopex.notion.site/rDPX-V2-RI-b45b5b402af54bcab758d62fb7c69cb4
bytes032 marked the issue as low quality report
I think otherwise creates further risks as you can manipulate the reserves
GalloDaSballo marked the issue as unsatisfactory: Invalid
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L1054
Vulnerability details
Impact
Only admin (multisig) can call peg functions. This might delay re-pegs.
Proof of Concept
Both
upperDepeg
andlowerDepeg
are meant to be called by any EOA or whitelisted contracts, but due to the onlyRole modifier, only the admin can currently call these functions:Tools Used
Manual Review
Recommended Mitigation Steps
Remove the
onlyRole
modifier from the re-pegging functions.Assessed type
Other