RdpxV2Core: setRdpxBurnPercentage() and setRdpxFeePercentage() affected by Precision & Input validation issue which will result in rdpx burn & fee % to be 1e8 smaller than expected/intended. #2215
RdpxV2Core: setRdpxBurnPercentage() and setRdpxFeePercentage() affected by Precision & Input validation issue which will result in rdpx burn & fee % to be 1e8 smaller than expected/intended.
Proof of Concept
Summary:
L181: input validation: its assumed the % value, e.g. 50 is passed here, WITHOUT the precision constant.
L184: 0)a) H/M?: dev overlooked to include the DEFAULT_PRECISION as per L178 comment.
Consequences: rdpx burn % will be 1e8 smaller than expected/intended.
/**
* @notice Sets the rdpx burn percentage
* @dev Can only be called by admin
* @param _rdpxBurnPercentage the burn percentage to set in 1e8 precision
**/
function setRdpxBurnPercentage(
uint256 _rdpxBurnPercentage
) external onlyRole(DEFAULT_ADMIN_ROLE) {
_validate(_rdpxBurnPercentage > 0, 3);
rdpxBurnPercentage = _rdpxBurnPercentage;
emit LogSetRdpxBurnPercentage(_rdpxBurnPercentage);
}
L194: input validation: its assumed the % value, e.g. 50 is passed here, WITHOUT the precision constant.
L197: dev overlooked to include the DEFAULT_PRECISION as per L191 comment.
Consequences: rdpx fee % will be 1e8 smaller than expected/intended.
/**
* @notice Sets the rdpx fee percentage
* @dev Can only be called by admin
* @param _rdpxFeePercentage the fee percentage to set in 1e8 precision
**/
function setRdpxFeePercentage(
uint256 _rdpxFeePercentage
) external onlyRole(DEFAULT_ADMIN_ROLE) {
_validate(_rdpxFeePercentage > 0, 3);
rdpxFeePercentage = _rdpxFeePercentage;
emit LogSetRdpxFeePercentage(_rdpxFeePercentage);
}
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/e96aaa5ea21f11b29d828dbe2d0745974cd046ed/contracts/core/RdpxV2Core.sol#L181 https://github.com/code-423n4/2023-08-dopex/blob/e96aaa5ea21f11b29d828dbe2d0745974cd046ed/contracts/core/RdpxV2Core.sol#L184 https://github.com/code-423n4/2023-08-dopex/blob/e96aaa5ea21f11b29d828dbe2d0745974cd046ed/contracts/core/RdpxV2Core.sol#L194 https://github.com/code-423n4/2023-08-dopex/blob/e96aaa5ea21f11b29d828dbe2d0745974cd046ed/contracts/core/RdpxV2Core.sol#L197 https://github.com/code-423n4/2023-08-dopex/blob/e96aaa5ea21f11b29d828dbe2d0745974cd046ed/contracts/core/RdpxV2Core.sol#L175-L199
Vulnerability details
Impact
RdpxV2Core: setRdpxBurnPercentage() and setRdpxFeePercentage() affected by Precision & Input validation issue which will result in rdpx burn & fee % to be 1e8 smaller than expected/intended.
Proof of Concept
Summary:
Fix:
rdpxBurnPercentage = _rdpxBurnPercentage * DEFAULT_PRECISION;
Consequences: rdpx burn % will be 1e8 smaller than expected/intended.
Fix:
rdpxFeePercentage = _rdpxFeePercentage * DEFAULT_PRECISION;
Consequences: rdpx fee % will be 1e8 smaller than expected/intended.
Tools Used
VSC.
Recommended Mitigation Steps
Fix:
rdpxBurnPercentage = _rdpxBurnPercentage * DEFAULT_PRECISION;
Fix:
rdpxFeePercentage = _rdpxFeePercentage * DEFAULT_PRECISION;
Assessed type
Math