APP contract works with epochs and every epoch is default to 1 week. After every epoch the new funding rate will be calculated. If the core contract wants to pay the funding for a specific epoch to APP contract then it must needs to call provide funding in a precised time. However, if someone frontruns this tx or simply calls before the core contract it will be disaster for the core contract because it will not be able to pay the funding for a given epoch.
Lines of code
https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L372-L396 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L790-L808 https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L462-L524
Vulnerability details
Impact
APP contract works with epochs and every epoch is default to 1 week. After every epoch the new funding rate will be calculated. If the core contract wants to pay the funding for a specific epoch to APP contract then it must needs to call provide funding in a precised time. However, if someone frontruns this tx or simply calls before the core contract it will be disaster for the core contract because it will not be able to pay the funding for a given epoch.
Proof of Concept
This is the function admin needs to call in Core contract to pay funding to the APP contract: https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/core/RdpxV2Core.sol#L790-L808 As we can see inside this function Core contract calls the APP contracts payFunding() function. Here the payFunding() function in the APP contract: https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L372-L393 As we can see this line must satisfy in order to pay the funding for the given epoch from Core contract to APP contract: https://github.com/code-423n4/2023-08-dopex/blob/eb4d4a201b3a75dd4bddc74a34e9c42c71d0d12f/contracts/perp-vault/PerpetualAtlanticVault.sol#L376-L381 The problem here is that the accounting mechanism for the "fundingPaymentsAccountedFor[latestFundingPaymentPointer]". latestFundingPaymentPointer will be incremented permissionlessly by calling the "updateFundingPaymentPointer()" in the APP contract. If the epoch is already over the payment pointer will be incremented. If this this happens, the new fundingPaymentsAccountedFor[latestFundingPaymentPointer] will be 0 hence, the validation logic will revert and Core contract will not be able to pay the funding as its intended.
Tools Used
Manual
Recommended Mitigation Steps
Make sure that the funding has paid before rolling over to the next epoch.
Assessed type
Other