This formula is directly influenced by the amount of rDPX that is held in the reserve contract. The issue arises due to the rdpxReserve() being the following:
function rdpxReserve() external view returns (uint256) {
return IERC20WithBurn(rdpx).balanceOf(address(this));
}
Tokens can directly be donated by anyone to increase the discount percentage given out by the protocol.
This whole scenario favours users, who have a big amount of capital and want to buy bonds in the protocol. The issue is operating under the assumption that the amount donated to the reserve contract will be smaller than the amount of tokens saved by the user for donating.
Tools Used
Manual review
Recommended Mitigation Steps
Consider keeping a virtual rDPX balance in the reserve contract instead of using the real value so donation attacks are not possible.
function rdpxReserve() external view returns (uint256) {
return virtualRDPXAmount;
}
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L1163-L1165 https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L1169-L1177
Vulnerability details
Impact
Users, that will be buying big amounts of bonds in the protocol can get them at cheaper rates.
Proof of Concept
The protocol gives bond-buyers a percentage discount that is based on the following formula:
This formula is directly influenced by the amount of rDPX that is held in the reserve contract. The issue arises due to the
rdpxReserve()
being the following:Tokens can directly be donated by anyone to increase the discount percentage given out by the protocol.
This whole scenario favours users, who have a big amount of capital and want to buy bonds in the protocol. The issue is operating under the assumption that the amount donated to the reserve contract will be smaller than the amount of tokens saved by the user for donating.
Tools Used
Manual review
Recommended Mitigation Steps
Consider keeping a virtual rDPX balance in the reserve contract instead of using the real value so donation attacks are not possible.
Assessed type
Other