search

code-423n4 / redacted-bug-bounty

13 stars 9 forks source link

The initiateRedemption function does not correctly calculate the postFeeAmount when the autoPxEth contract is involved. #65

Closed c4-bot-10 closed 4 months ago

c4-bot-10 commented 4 months ago

Lines of code

https://github.com/redacted-cartel/pirex-eth-contracts/blob/11f30c7e35b67d45deefe405c22a30f352bc5b21/src/PirexEth.sol#L460

Vulnerability details

I have identified another potential vulnerability related to the initiateRedemption function.

Vulnerability:

The initiateRedemption function does not correctly calculate the postFeeAmount when the autoPxEth contract is involved. The _pxEthAmount is calculated based on the apxETH-ETH ratio during the current block. However, the postFeeAmount calculation does not consider the potential impact of the autoPxEth contract on the pxETH supply. If the autoPxEth contract has a large pxETH balance, an attacker can manipulate the pxETH supply and affect the postFeeAmount calculation, potentially leading to unintended consequences.

Impact:

An attacker could potentially manipulate the pxETH supply and affect the fee calculation for redemptions, affecting the expected revenue for the contract owner or causing unintended consequences in the system.

Exploitation:

An attacker can exploit this vulnerability by creating transactions that manipulate the pxETH balance in the autoPxEth contract. By increasing or decreasing the pxETH balance in the autoPxEth contract, the attacker can indirectly affect the postFeeAmount calculation in the initiateRedemption function.

Recommendation:

To mitigate this vulnerability, consider implementing a more robust postFeeAmount calculation in the initiateRedemption function. The calculation should include the pxETH balance from the autoPxEth contract and any other contracts that can influence the pxETH supply.

Here is an example of how to implement the fix:

  1. Update the initiateRedemption function to calculate totalPxEth:
uint256 totalPxEth = pxEth.balanceOf(address(this)) + autoPxEth.getPxEthBalance();
  1. Use totalPxEth in the postFeeAmount calculation:
postFeeAmount = (_pxEthAmount * (totalPxEth - feeAmount)) / totalPxEth;

By implementing this fix, you can ensure that the postFeeAmount calculation takes into account the impact of the autoPxEth contract, preventing potential supply manipulation and maintaining a fair fee calculation.

c4-bot-1 commented 4 months ago

Discord id(s) for hunter(s): [object Object]