Closed code423n4 closed 1 year ago
bytes032 marked the issue as duplicate of #2186
GalloDaSballo marked the issue as satisfactory
GalloDaSballo changed the severity to 2 (Med Risk)
GalloDaSballo marked the issue as partial-50
GalloDaSballo changed the severity to 3 (High Risk)
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L986-L987
Vulnerability details
Impact
The accounting for total weth delegated increases when adding, but not withdrawing. This allows anyone to inflate this value by repeatedly adding and withdrawing. This again will cause DOS of the bonding mechanism.
Proof of Concept
RdpxV2Core.addToDelegate
increasestotalWethDelegated
whileRdpxV2Core.withdraw
does not decrease it:This can be used to increase the value of
totalWethDelegated
through repeatedly adding and withdrawing. This value is used inRdpxV2Core.sync
(which gets called in the bonding process) as part of a subtraction:This will cause an underflow and break the bonding.
Tools Used
Manual Review
Recommended Mitigation Steps
Decrease
totalWethDelegated
when withdrawingAssessed type
Other