search

code-423n4 / 2023-08-dopex-findings

3 stars 3 forks source link

totalWethDelegated does not decrease in withdraw can cause DOS #2208

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L986-L987

Vulnerability details

Impact

The accounting for total weth delegated increases when adding, but not withdrawing. This allows anyone to inflate this value by repeatedly adding and withdrawing. This again will cause DOS of the bonding mechanism.

Proof of Concept

RdpxV2Core.addToDelegate increases totalWethDelegated while RdpxV2Core.withdraw does not decrease it:

  function addToDelegate(
    uint256 _amount,
    uint256 _fee
  ) external returns (uint256) {
    ...
    // add amount to total weth delegated
    totalWethDelegated += _amount;
  }

This can be used to increase the value of totalWethDelegated through repeatedly adding and withdrawing. This value is used in RdpxV2Core.sync (which gets called in the bonding process) as part of a subtraction:

balance = balance - totalWethDelegated;

This will cause an underflow and break the bonding.

Tools Used

Manual Review

Recommended Mitigation Steps

Decrease totalWethDelegated when withdrawing

Assessed type

Other

c4-pre-sort commented 1 year ago

bytes032 marked the issue as duplicate of #2186

c4-judge commented 10 months ago

GalloDaSballo marked the issue as satisfactory

c4-judge commented 10 months ago

GalloDaSballo changed the severity to 2 (Med Risk)

c4-judge commented 10 months ago

GalloDaSballo marked the issue as partial-50

c4-judge commented 10 months ago

GalloDaSballo changed the severity to 3 (High Risk)