search

code-423n4 / 2023-08-dopex-findings

3 stars 3 forks source link

payFunding must be called right after the epoch ends in APP contract #655

Open code423n4 opened 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L372-L396 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L790-L808 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L462-L524

Vulnerability details

Impact

APP contract works with epochs and every epoch is default to 1 week. After every epoch the new funding rate will be calculated. If the core contract wants to pay the funding for a specific epoch to APP contract then it must needs to call provide funding in a precised time. However, if someone frontruns this tx or simply calls before the core contract it will be disaster for the core contract because it will not be able to pay the funding for a given epoch.

Proof of Concept

This is the function admin needs to call in Core contract to pay funding to the APP contract: https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L790-L808 As we can see inside this function Core contract calls the APP contracts payFunding() function. Here the payFunding() function in the APP contract: https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L372-L393 As we can see this line must satisfy in order to pay the funding for the given epoch from Core contract to APP contract: https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L376-L381 The problem here is that the accounting mechanism for the "fundingPaymentsAccountedFor[latestFundingPaymentPointer]". latestFundingPaymentPointer will be incremented permissionlessly by calling the "updateFundingPaymentPointer()" in the APP contract. If the epoch is already over the payment pointer will be incremented. If this this happens, the new fundingPaymentsAccountedFor[latestFundingPaymentPointer] will be 0 hence, the validation logic will revert and Core contract will not be able to pay the funding as its intended.

Tools Used

Manual

Recommended Mitigation Steps

Make sure that the funding has paid before rolling over to the next epoch.

Assessed type

Other

c4-pre-sort commented 11 months ago

bytes032 marked the issue as duplicate of #1674

c4-judge commented 10 months ago

GalloDaSballo changed the severity to QA (Quality Assurance)