Open code423n4 opened 1 year ago
bytes032 marked the issue as primary issue
bytes032 marked the issue as sufficient quality report
psytama (sponsor) confirmed
GalloDaSballo marked the issue as selected for report
Will flag for douping on Post Judging QA
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L570 https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/core/RdpxV2Core.sol#L1175-L1177
Vulnerability details
Impact
Depending on the reserves of rDPX, bonding discounts are given both on the rDPX and WETH collateral requirements for minting dpxETH. The bonding discounts (for both rDPX and WETH portions) are provided as rDPX which is taken from the treasury. The issue with this is that the RdpxV2Core contract only functions properly when the full amount of WETH is provided (75% of the dpxETH value), because as per docs, 50% of the value of the dpxETH you are minting is required in WETH to add liquidity to the dpxETH-WETH pool.
This discount in WETH collateral requirements can be as high as
2/3 * 75% = 50%
of the entire value of dpxETH. The logic in the RdpxV2Core essentially then steals this extra WETH from the current balance of the contract, which can eventually drain this entire contract of WETH, leaving only rDPX tokens, which is highly problematic in terms of economic security. This will also DOS all future attempts to mint dpxETH once the WETH reserves are depleted.Proof of Concept
When a user bonds using rDPX directly they first call the
bond
function of the RdpxV2Core contract:The amount of WETH required,
wethRequired
, is calculated by thecalculateBondCost
function with the main logic being the following (note: the cost of the premium for the purchased amount of rDPX PUT option coverage is also included in this amount, but i am not showing that code here):As can be seen, there is a potential
bondDiscount
, which can be at most 100e8. Given that ETH_RATIO_PERCENTAGE is set to 75e8, the minimum amount ofwethRequired
would be 25% of the_amount
of dpxETH being minted. The remainder, which in this case would be 50% of the value of the dpxETH, will be provided by the reserve. Note: if this math didn't make sense, recall that 75% of the value of the minted dpxETH needs to be provided in ETH, and this discount can be as much as 2/3 of the ETH amount, meaning the minimum ETH requirement of the user will be 75% * 2/3 = 25%.The remainder of the ETH portion (
discountReceivedInWeth
) is then paid for by the reserve in the_transfer
function, which is defined as follows:As can be seen, the
discountReceivedInWeth
, which is an amount of ETH, will then be converted into an equivalent amount of rDPX (extraRdpxToWithdraw
), and then this amount of rDPX is withdrawn to serve as the collateral for the minted rDPX.The issue with this is the following call to
_stake
within the flow of thebond
function, which has the following line of code:Essentially, irrespective of the actual amount of ETH which has been deposited by the user, for the specified
_amount
of dpxETH to mint,_amount / 2
of ETH will be taken from the token reserves of the RdpxV2Core contract. This means that as more and more ETH discounts are given, this ETH amount will be drained to zero. At this point, future calls tobond
will revert.Tools Used
Manual review
Recommended Mitigation Steps
The discount on the WETH portion during minting should be provided in WETH rather than in an equivalent amount of rDPX.
Assessed type
Other