Users buying big amounts of bonds can get a bigger discount by donating rDPX to the reserve

[code423n4]

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L1163-L1165 https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L1169-L1177

Vulnerability details

Impact

Users, that will be buying big amounts of bonds in the protocol can get them at cheaper rates.

Proof of Concept

The protocol gives bond-buyers a percentage discount that is based on the following formula:

uint256 bondDiscount = (bondDiscountFactor * Math.sqrt(IRdpxReserve(addresses.rdpxReserve).rdpxReserve()) *1e2) / (Math.sqrt(1e18)); // 1e8 precision

This formula is directly influenced by the amount of rDPX that is held in the reserve contract. The issue arises due to the rdpxReserve() being the following:

function rdpxReserve() external view returns (uint256) {
    return IERC20WithBurn(rdpx).balanceOf(address(this));
  }

Tokens can directly be donated by anyone to increase the discount percentage given out by the protocol.

This whole scenario favours users, who have a big amount of capital and want to buy bonds in the protocol. The issue is operating under the assumption that the amount donated to the reserve contract will be smaller than the amount of tokens saved by the user for donating.

Tools Used

Manual review

Recommended Mitigation Steps

Consider keeping a virtual rDPX balance in the reserve contract instead of using the real value so donation attacks are not possible.

function rdpxReserve() external view returns (uint256) {
    return virtualRDPXAmount;
}

Assessed type

Other

[c4-pre-sort]

bytes032 marked the issue as sufficient quality report

[c4-pre-sort]

bytes032 marked the issue as primary issue

[c4-pre-sort]

bytes032 marked the issue as duplicate of #2049

[c4-judge]

GalloDaSballo changed the severity to QA (Quality Assurance)