code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/e96aaa5ea21f11b29d828dbe2d0745974cd046ed/contracts/core/RdpxV2Core.sol#L181 https://github.com/code-423n4/2023-08-dopex/blob/e96aaa5ea21f11b29d828dbe2d0745974cd046ed/contracts/core/RdpxV2Core.sol#L184 https://github.com/code-423n4/2023-08-dopex/blob/e96aaa5ea21f11b29d828dbe2d0745974cd046ed/contracts/core/RdpxV2Core.sol#L194 https://github.com/code-423n4/2023-08-dopex/blob/e96aaa5ea21f11b29d828dbe2d0745974cd046ed/contracts/core/RdpxV2Core.sol#L197 https://github.com/code-423n4/2023-08-dopex/blob/e96aaa5ea21f11b29d828dbe2d0745974cd046ed/contracts/core/RdpxV2Core.sol#L175-L199

Vulnerability details

Impact

RdpxV2Core: setRdpxBurnPercentage() and setRdpxFeePercentage() affected by Precision & Input validation issue which will result in rdpx burn & fee % to be 1e8 smaller than expected/intended.

Proof of Concept

Summary:

L181: input validation: its assumed the % value, e.g. 50 is passed here, WITHOUT the precision constant.
L184: 0)a) H/M?: dev overlooked to include the DEFAULT_PRECISION as per L178 comment.

Fix: rdpxBurnPercentage = _rdpxBurnPercentage * DEFAULT_PRECISION;

Consequences: rdpx burn % will be 1e8 smaller than expected/intended.

  /**
   * @notice Sets the rdpx burn percentage
   * @dev    Can only be called by admin
   * @param  _rdpxBurnPercentage the burn percentage to set in 1e8 precision
   **/
  function setRdpxBurnPercentage(
    uint256 _rdpxBurnPercentage   
  ) external onlyRole(DEFAULT_ADMIN_ROLE) {
    _validate(_rdpxBurnPercentage > 0, 3);
    rdpxBurnPercentage = _rdpxBurnPercentage;   
    emit LogSetRdpxBurnPercentage(_rdpxBurnPercentage);
  }

L194: input validation: its assumed the % value, e.g. 50 is passed here, WITHOUT the precision constant.
L197: dev overlooked to include the DEFAULT_PRECISION as per L191 comment.

Fix: rdpxFeePercentage = _rdpxFeePercentage * DEFAULT_PRECISION;

Consequences: rdpx fee % will be 1e8 smaller than expected/intended.

  /**
   * @notice Sets the rdpx fee percentage
   * @dev    Can only be called by admin
   * @param  _rdpxFeePercentage the fee percentage to set in 1e8 precision
   **/
  function setRdpxFeePercentage(
    uint256 _rdpxFeePercentage  
  ) external onlyRole(DEFAULT_ADMIN_ROLE) {
    _validate(_rdpxFeePercentage > 0, 3);
    rdpxFeePercentage = _rdpxFeePercentage;   
    emit LogSetRdpxFeePercentage(_rdpxFeePercentage);
  }

Tools Used

VSC.

Recommended Mitigation Steps

Fix: rdpxBurnPercentage = _rdpxBurnPercentage * DEFAULT_PRECISION;

Fix: rdpxFeePercentage = _rdpxFeePercentage * DEFAULT_PRECISION;

Assessed type

Math

c4-pre-sort commented 11 months ago

bytes032 marked the issue as sufficient quality report

c4-pre-sort commented 11 months ago

bytes032 marked the issue as duplicate of #747

c4-judge commented 10 months ago

GalloDaSballo changed the severity to QA (Quality Assurance)

code-423n4 / 2023-08-dopex-findings

RdpxV2Core: setRdpxBurnPercentage() and setRdpxFeePercentage() affected by Precision & Input validation issue which will result in rdpx burn & fee % to be 1e8 smaller than expected/intended. #2215