search

code-423n4 / 2023-08-dopex-findings

3 stars 3 forks source link

`PerpetualAtlanticVaultLP` holders can evade option loss by frontrunning `settle()` with `redeem()` #738

Closed code423n4 closed 1 year ago

code423n4 commented 1 year ago

Lines of code

https://github.com/code-423n4/2023-08-dopex/blob/main/contracts/perp-vault/PerpetualAtlanticVaultLP.sol#L145-L175

Vulnerability details

PerpetualAtlanticVaultLP holders receives premium/funding for their deposited WETH, which are used to write PerpetualAtlanticVault put options.

However, they are able to redeem their WETH anytime as long as there are available WETH in PerpetualAtlanticVaultLP. As the losses from the options are deducted from PerpetualAtlanticVaultLP via settle(), PerpetualAtlanticVaultLP holders can evade the loss and redeem their WETH by frontrunning settle() operation. They can then backrun settle() to re-deposit the redeemed WETH at a lower share price.

Even though, Arbitrum does not have a mempool at the moment, there could possibly be MEV opportunities in the future when they decentralize the sequencer. And this issue is also applicable if the project intends to expand to other chains or make it omnichain.

Impact

The issue can allow PerpetualAtlanticVaultLP holders to arbitrage by evading options while receiving premium/funding, causing the other holders to inccur higher losses.

Proof of Concept

Imagine the following scenario,

  1. Alice who is a PerpetualAtlanticVaultLP holder has deposited WETH in PerpetualAtlanticVaultLP and receives premium/funding for them.
  2. Alice monitors for settle() transaction and proceed to frontrun them by calling redeem() to evade the option loss and withdraws her WETH & rDPX.
  3. Alice can then backrun the settle() transactions with deposit(), to deposit the WETH & rDPX at a lower share price and continue to receive premium/funding for them.

Recommended Mitigation Steps

Add in a time lock on PerpetualAtlanticVaultLP redemption, to allow holders to request redemption and only allow them to retrieve the WETH & rDPX after a certain period of time. Note that holders should not receive fundings upon redemption request.

Assessed type

MEV

c4-pre-sort commented 1 year ago

bytes032 marked the issue as low quality report

bytes032 commented 1 year ago

LQ because of front-running on Arb

c4-judge commented 1 year ago

GalloDaSballo marked the issue as unsatisfactory: Insufficient proof

GalloDaSballo commented 1 year ago

OTM -> Cannot redeem ITM -> Redeem is on purpose

c4-judge commented 1 year ago

GalloDaSballo marked the issue as duplicate of #1584

c4-judge commented 1 year ago

GalloDaSballo marked the issue as satisfactory