code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L145

Vulnerability details

Impact

This can lead to loss of funds for the protocol

Proof of Concept

In the redeem function of PerpetualAtlanticVaultLP, rdpx amount to send to the user is calculated in addition to the Weth and there is no check for if the user actually owns the rdpx.

(assets, rdpxAmount) = redeemPreview(shares); 

        // Check for rounding error since we round down in previewRedeem.
        require(assets != 0, "ZERO_ASSETS");

        _rdpxCollateral -= rdpxAmount;

        beforeWithdraw(assets, shares);

        _burn(owner, shares);

        collateral.transfer(receiver, assets);

        IERC20WithBurn(rdpx).safeTransfer(receiver, rdpxAmount);

function _convertToAssets(
        uint256 shares
    ) internal view virtual returns (uint256 assets, uint256 rdpxAmount) {
        uint256 supply = totalSupply;
        return
            (supply == 0)
                ? (shares, 0)
                : (
                    shares.mulDivDown(totalCollateral(), supply),
                    shares.mulDivDown(_rdpxCollateral, supply)
                );
    }

Tools Used

Manual Review

Recommended Mitigation Steps

Assessed type

Other

c4-pre-sort commented 1 year ago

bytes032 marked the issue as duplicate of #867

c4-pre-sort commented 12 months ago

bytes032 marked the issue as low quality report

c4-pre-sort commented 12 months ago

bytes032 marked the issue as not a duplicate

bytes032 commented 12 months ago

the function will revert if there's not enough allowance

c4-sponsor commented 11 months ago

psytama (sponsor) disputed

c4-judge commented 10 months ago

GalloDaSballo marked the issue as unsatisfactory: Insufficient proof

code-423n4 / 2023-08-dopex-findings

Users can redeem rDpx they haven't deposited #2221